amadey | 7d410d6cb63e94a97e6688255ca56279bac5cacc70d37f91986f2235ce99ef8e

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe
Size

514KB
MD5

eeed819879e60a78356884c79cc1176d
SHA1

73182a6228fb1978bb85b750939e58083733dae4
SHA256

3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb
SHA512

ec81ffafd04adfeb3849df9b2fc7f501b652124b0d3d40c2adef0f53a95fa17385a955ddc5f6598893572ae8e3a067cc80f7ae5a2600f5ce1514395b7e83a8bf
SSDEEP

12288:gMrDy90VStL+T5sUZjdKCjNhbdg9f23ulFmoU61Z/d0Z/+mxQz:zyAcIHH5r4rmj4W+m0

Score

10^/10

amadey healer redline smokeloader lande backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

77.91.124.84:19071

Attributes

auth_value
9fa41701c47df37786234f3373f21208

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4363599.exe	healer
behavioral13/memory/4412-22-0x0000000000BB0000-0x0000000000BBA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a4363599.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4363599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4363599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4363599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4363599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4363599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4363599.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2143977.exe	family_redline
behavioral13/memory/5036-44-0x0000000000030000-0x0000000000060000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b6605019.exepdates.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	b6605019.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	pdates.exe

Executes dropped EXE 9 IoCs

Processes:

v3816692.exev6658097.exea4363599.exeb6605019.exepdates.exec6160134.exed2143977.exepdates.exepdates.exe

pid process

4752 v3816692.exe
4800 v6658097.exe
4412 a4363599.exe
4960 b6605019.exe
4528 pdates.exe
4764 c6160134.exe
5036 d2143977.exe
60 pdates.exe
1068 pdates.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a4363599.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4363599.exe

pid	process
4752	v3816692.exe
4800	v6658097.exe
4412	a4363599.exe
4960	b6605019.exe
4528	pdates.exe
4764	c6160134.exe
5036	d2143977.exe
60	pdates.exe
1068	pdates.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4363599.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

v6658097.exe3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exev3816692.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6658097.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3816692.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c6160134.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6160134.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6160134.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6160134.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2128 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a4363599.exe

pid process

4412 a4363599.exe
4412 a4363599.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a4363599.exe

description pid process

Token: SeDebugPrivilege 4412 a4363599.exe

pid	process
2128	schtasks.exe

pid	process
4412	a4363599.exe
4412	a4363599.exe

description	pid	process
Token: SeDebugPrivilege	4412	a4363599.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exev3816692.exev6658097.exeb6605019.exepdates.execmd.exe

description	pid	process	target process
PID 3328 wrote to memory of 4752	3328	3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe	v3816692.exe
PID 3328 wrote to memory of 4752	3328	3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe	v3816692.exe
PID 3328 wrote to memory of 4752	3328	3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe	v3816692.exe
PID 4752 wrote to memory of 4800	4752	v3816692.exe	v6658097.exe
PID 4752 wrote to memory of 4800	4752	v3816692.exe	v6658097.exe
PID 4752 wrote to memory of 4800	4752	v3816692.exe	v6658097.exe
PID 4800 wrote to memory of 4412	4800	v6658097.exe	a4363599.exe
PID 4800 wrote to memory of 4412	4800	v6658097.exe	a4363599.exe
PID 4800 wrote to memory of 4960	4800	v6658097.exe	b6605019.exe
PID 4800 wrote to memory of 4960	4800	v6658097.exe	b6605019.exe
PID 4800 wrote to memory of 4960	4800	v6658097.exe	b6605019.exe
PID 4960 wrote to memory of 4528	4960	b6605019.exe	pdates.exe
PID 4960 wrote to memory of 4528	4960	b6605019.exe	pdates.exe
PID 4960 wrote to memory of 4528	4960	b6605019.exe	pdates.exe
PID 4752 wrote to memory of 4764	4752	v3816692.exe	c6160134.exe
PID 4752 wrote to memory of 4764	4752	v3816692.exe	c6160134.exe
PID 4752 wrote to memory of 4764	4752	v3816692.exe	c6160134.exe
PID 4528 wrote to memory of 2128	4528	pdates.exe	schtasks.exe
PID 4528 wrote to memory of 2128	4528	pdates.exe	schtasks.exe
PID 4528 wrote to memory of 2128	4528	pdates.exe	schtasks.exe
PID 4528 wrote to memory of 1036	4528	pdates.exe	cmd.exe
PID 4528 wrote to memory of 1036	4528	pdates.exe	cmd.exe
PID 4528 wrote to memory of 1036	4528	pdates.exe	cmd.exe
PID 1036 wrote to memory of 1264	1036	cmd.exe	cmd.exe
PID 1036 wrote to memory of 1264	1036	cmd.exe	cmd.exe
PID 1036 wrote to memory of 1264	1036	cmd.exe	cmd.exe
PID 1036 wrote to memory of 5072	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 5072	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 5072	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 3380	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 3380	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 3380	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 1912	1036	cmd.exe	cmd.exe
PID 1036 wrote to memory of 1912	1036	cmd.exe	cmd.exe
PID 1036 wrote to memory of 1912	1036	cmd.exe	cmd.exe
PID 1036 wrote to memory of 5040	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 5040	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 5040	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 1436	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 1436	1036	cmd.exe	cacls.exe
PID 1036 wrote to memory of 1436	1036	cmd.exe	cacls.exe
PID 3328 wrote to memory of 5036	3328	3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe	d2143977.exe
PID 3328 wrote to memory of 5036	3328	3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe	d2143977.exe
PID 3328 wrote to memory of 5036	3328	3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe	d2143977.exe

C:\Users\Admin\AppData\Local\Temp\3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe
"C:\Users\Admin\AppData\Local\Temp\3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3816692.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3816692.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6658097.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6658097.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4363599.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4363599.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6605019.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6605019.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        7⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        7⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        7⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        7⤵
        
        PID:1436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6160134.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6160134.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2143977.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2143977.exe
  2⤵
  - Executes dropped EXE
  PID:5036

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:60

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2143977.exe

Filesize
173KB

MD5
be04131e5c943ce76c2d7847eaef95fb

SHA1
c666d45e6e783b1cb17db34ee9af1f617eb619f0

SHA256
07213b72374699180e7103779b2cba5f6dabf50cabb5ef1a81b4b8dd83eb0d22

SHA512
da4540c962c0927eac1e87edd3d26e86f75f4c35c500af831500db016428ac7ddd1c9d5e21d8862573e65ff0f62e2f036dc3e71acb40e389c69a29dbc554d1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3816692.exe

Filesize
359KB

MD5
ab84a7fef0caeb68f511121cbc9ffae1

SHA1
cd0a9c0596113087560401ecbca21b1f5f55b4d8

SHA256
7a30bd87b7a7d682da38acb034023d1f204b4f74ced6d72785d5d382bb37eb93

SHA512
e58c78744fdd86c499321f298f1ac268bd88c609b2d5137f969cc03d91abca6dfe5b05d74d02cfe285c137ac4133920f97accda01590ccf85fd1b12a69668983

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6160134.exe

Filesize
36KB

MD5
996c24a00b8e77f5c4663d51deba3a6c

SHA1
d264d4d0a9cde9e8a45a894dc192f13f67a0e1c9

SHA256
f5a90f1e21d5d790f3439f0837a9b3b30ce40a643c8526e4123b66f2272c89c8

SHA512
7c81a60cb5bd634ec674e3ac0dd524381de2dd04e7cf94ca9161e825413c97ef4cac28737ba1fcfc0ce552ce808a40d21d1b48991781b841d44c6f1dbfc0223a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6658097.exe

Filesize
234KB

MD5
3ebcea8b46533e3d8c377ee900c9b9d1

SHA1
7d256d4b11b3ff3cbd1f39e9b7bc6e4127d7bd73

SHA256
da464857a6799d31b068fe355271ad32b20afa56197d19ca46c5bc52430ddade

SHA512
f03a1e3a28bb4e0f67a10e1edb334cca46c14f07567b4ba3e197266474f9b8d866b2c72001afcb38ecb0c6a7415ea252a8379b6c5d4d0f3592cd980d6105f7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4363599.exe

Filesize
13KB

MD5
3812aad89facf3b8621bff1de3c7f37e

SHA1
db31b1c5ac5a9d9348a1b995020fe1409f15702c

SHA256
33333db88c1e465ddaf2bede26cb9425688f0734af3f1ee5062d66e0245a5cf4

SHA512
658e7dbf03e480cb9def3b78ab64dc5d4b8ad8ae593e1c4162264bf7da5fccd6a3229ec7c2cb30ab2323fc6c3ad6eb39ae716a6d8ce33b506e16a4147dcd133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6605019.exe

Filesize
225KB

MD5
14e80394c417efeead794dbdf18d49f3

SHA1
bbc5ccc061429163cf9be2b7894ec9e5df62ffae

SHA256
4195e63b8247e1d77e22e8669cc0afb64658c6681d43c3a735fec73311eee837

SHA512
6b28a7dd61f5cdc71f59a7c235621a50566583fce75e6493148c2a2f143ecbfc6c5fdd7a64066598fdb4d4945cf9c14569612cc7949a9911f8b3bb126ba1221f

Download Submit
memory/4412-21-0x00007FFBFDFD3000-0x00007FFBFDFD5000-memory.dmp

Filesize
8KB

Download
memory/4412-22-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/4764-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5036-44-0x0000000000030000-0x0000000000060000-memory.dmp

Filesize
192KB

Download
memory/5036-45-0x0000000000920000-0x0000000000926000-memory.dmp

Filesize
24KB

Download
memory/5036-46-0x000000000A510000-0x000000000AB28000-memory.dmp

Filesize
6.1MB

Download
memory/5036-47-0x000000000A000000-0x000000000A10A000-memory.dmp

Filesize
1.0MB

Download
memory/5036-48-0x0000000009F20000-0x0000000009F32000-memory.dmp

Filesize
72KB

Download
memory/5036-49-0x0000000009F80000-0x0000000009FBC000-memory.dmp

Filesize
240KB

Download
memory/5036-50-0x00000000044C0000-0x000000000450C000-memory.dmp

Filesize
304KB

Download