amadey | 0ff9bc0436d6052b24d3174a3e4aeb590fa03a5b78a09d0b6a5a4084006891e2

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe
Size

515KB
MD5

11c22c7a24b8f0576c3470af1561a6e9
SHA1

47ba63be9cdf137c5356465791cca7e8d26048f9
SHA256

2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368
SHA512

acef19e6e351f779b034509e7eeff3eedebae468702c75c6b3a6c844b9024c84dffd25e768a8214df451fb33d094f979ad458bd0ad80d1a25bc312338b4d071e
SSDEEP

12288:AMrpy90pbhdTlggxZzkUrC7pfy4NHWisj53QEEXOsM0:ZyGzlgrUGPWjhQR

Score

10^/10

amadey healer redline smokeloader news backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

77.91.68.68:19071

Attributes

auth_value
99ba2ffe8d72ebe9fdc7e758c94db148

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe	healer
behavioral2/memory/2436-21-0x0000000000DB0000-0x0000000000DBA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a5970039.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5970039.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5970039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5970039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5970039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5970039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5970039.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe	family_redline
behavioral2/memory/540-45-0x00000000000D0000-0x0000000000100000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b4024066.exedanke.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	b4024066.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 9 IoCs

Processes:

v5031831.exev5473069.exea5970039.exeb4024066.exedanke.exec9593912.exed6125712.exedanke.exedanke.exe

pid process

4608 v5031831.exe
3760 v5473069.exe
2436 a5970039.exe
2300 b4024066.exe
3756 danke.exe
3224 c9593912.exe
540 d6125712.exe
1184 danke.exe
1988 danke.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a5970039.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5970039.exe

pid	process
4608	v5031831.exe
3760	v5473069.exe
2436	a5970039.exe
2300	b4024066.exe
3756	danke.exe
3224	c9593912.exe
540	d6125712.exe
1184	danke.exe
1988	danke.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5970039.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exev5031831.exev5473069.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5031831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5473069.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c9593912.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9593912.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9593912.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9593912.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4504 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a5970039.exe

pid process

2436 a5970039.exe
2436 a5970039.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a5970039.exe

description pid process

Token: SeDebugPrivilege 2436 a5970039.exe

pid	process
4504	schtasks.exe

pid	process
2436	a5970039.exe
2436	a5970039.exe

description	pid	process
Token: SeDebugPrivilege	2436	a5970039.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exev5031831.exev5473069.exeb4024066.exedanke.execmd.exe

description	pid	process	target process
PID 4888 wrote to memory of 4608	4888	2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe	v5031831.exe
PID 4888 wrote to memory of 4608	4888	2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe	v5031831.exe
PID 4888 wrote to memory of 4608	4888	2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe	v5031831.exe
PID 4608 wrote to memory of 3760	4608	v5031831.exe	v5473069.exe
PID 4608 wrote to memory of 3760	4608	v5031831.exe	v5473069.exe
PID 4608 wrote to memory of 3760	4608	v5031831.exe	v5473069.exe
PID 3760 wrote to memory of 2436	3760	v5473069.exe	a5970039.exe
PID 3760 wrote to memory of 2436	3760	v5473069.exe	a5970039.exe
PID 3760 wrote to memory of 2300	3760	v5473069.exe	b4024066.exe
PID 3760 wrote to memory of 2300	3760	v5473069.exe	b4024066.exe
PID 3760 wrote to memory of 2300	3760	v5473069.exe	b4024066.exe
PID 2300 wrote to memory of 3756	2300	b4024066.exe	danke.exe
PID 2300 wrote to memory of 3756	2300	b4024066.exe	danke.exe
PID 2300 wrote to memory of 3756	2300	b4024066.exe	danke.exe
PID 4608 wrote to memory of 3224	4608	v5031831.exe	c9593912.exe
PID 4608 wrote to memory of 3224	4608	v5031831.exe	c9593912.exe
PID 4608 wrote to memory of 3224	4608	v5031831.exe	c9593912.exe
PID 4888 wrote to memory of 540	4888	2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe	d6125712.exe
PID 4888 wrote to memory of 540	4888	2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe	d6125712.exe
PID 4888 wrote to memory of 540	4888	2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe	d6125712.exe
PID 3756 wrote to memory of 4504	3756	danke.exe	schtasks.exe
PID 3756 wrote to memory of 4504	3756	danke.exe	schtasks.exe
PID 3756 wrote to memory of 4504	3756	danke.exe	schtasks.exe
PID 3756 wrote to memory of 676	3756	danke.exe	cmd.exe
PID 3756 wrote to memory of 676	3756	danke.exe	cmd.exe
PID 3756 wrote to memory of 676	3756	danke.exe	cmd.exe
PID 676 wrote to memory of 1192	676	cmd.exe	cmd.exe
PID 676 wrote to memory of 1192	676	cmd.exe	cmd.exe
PID 676 wrote to memory of 1192	676	cmd.exe	cmd.exe
PID 676 wrote to memory of 3240	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 3240	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 3240	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 3112	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 3112	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 3112	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 1828	676	cmd.exe	cmd.exe
PID 676 wrote to memory of 1828	676	cmd.exe	cmd.exe
PID 676 wrote to memory of 1828	676	cmd.exe	cmd.exe
PID 676 wrote to memory of 2472	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 2472	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 2472	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 2480	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 2480	676	cmd.exe	cacls.exe
PID 676 wrote to memory of 2480	676	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe
"C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
6⤵
- Creates scheduled task(s)
PID:4504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1192

C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
7⤵
PID:3240

C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
7⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1828

C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
7⤵
PID:2472

C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
7⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3224

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
2⤵
- Executes dropped EXE
PID:540

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
Filesize
174KB

MD5
5857ee0726d73781a91d8e82eaa75062

SHA1
2af364ed6f7f7612b5c7fdff981d547d13518a1d

SHA256
9b96fd6fb35d86dbf485be9d03649a67f4e19ec2eacf97b63c1ff5f71495ecc7

SHA512
50468fa0a187a446ce3e58aaa2c59ec04f8df55a588a7ae75674976cff5acf1f3c92b27bbe431ebad7f8dbd0125d664f38bade9df34a7fb79c658c5ec27dceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
Filesize
359KB

MD5
64914ff9bf5be388b673a4c159e81f0d

SHA1
e50e480364a0efb07a0b3619a35706a338cec43d

SHA256
d86e1af67ea1610cd582ea0dee48a2b98bc078d11b39de4f18e1df0e2b904d06

SHA512
073712b4a0aa9be3e81d83aa8ed42366e4962b767846172b0e1b33a784d75776c62b703b324a126334aac3b787ba4f94aa592752ca9c98f3c3691649f5177b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
Filesize
34KB

MD5
28b567d6d377880e6336770aa32966c6

SHA1
44e450e5488cd710318a62c30ecd3c2b0e5ce405

SHA256
970dc870f858c266ae0f4b8f2d1e8cdd971896b7ceba28f8edd18bd341b360b6

SHA512
1d7bbc36c404de957393268d1fba3a547b8a1b7535cc6f444bcba8393259e24db8144aeb85b2ca0de1e95196eba7d7693e35e2c7319886d42e5b6515b81bf7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
Filesize
235KB

MD5
47c57a08974e981716c8ebc94e73cef6

SHA1
f3a2cc808f85bb7fc40c1814e76cf7ecbc3e76eb

SHA256
c42d18d5dcc41dd560469e1c68b7955501ec3b2545ee8322a1f7dde7d7a90ad8

SHA512
b6f25499399d4d5738e9b103fe1438705700236656d9242a62194228c69eb70945066fd829191d50e2d8f59aed12cc2bbb5e8daa7961864d81ccb1b8bf7e27e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
Filesize
13KB

MD5
b9f7307f3344963173587f481cf79702

SHA1
d1771c11330d7f05b465837268f1993d16a50ef9

SHA256
3f1deb49ae3b7e8074b543490e6a24045c16a73102668c09729a4decb3260068

SHA512
ef449c472223eddfd606b5035962564da2b3b47e46dd7bb796e8565f14349bc1edd9e716d4b288d65dda044d47f1ee527554d130f0de6b6cf4d78a1b2e0741f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
Filesize
230KB

MD5
b4e48d49180a5de33de9a468850dd56d

SHA1
a813b19d1b7ca147c0bf19394d85dbb5e68e2499

SHA256
848b8ac51ed5492cc8dbf0db13d11166b3f40984d335c441ad0370fa1c6efaf4

SHA512
aeba44dbea2fd4d2cd72139e1f3a02be121237909bce8eef15fa36c66903bcae2231c0cb527e3aece354b50412a8ebae4dcce8898b66c1608a7643a45f49905f

Download Submit
memory/540-51-0x0000000004420000-0x000000000446C000-memory.dmp

Filesize
304KB

Download
memory/540-50-0x0000000009EE0000-0x0000000009F1C000-memory.dmp

Filesize
240KB

Download
memory/540-49-0x0000000009E80000-0x0000000009E92000-memory.dmp

Filesize
72KB

Download
memory/540-48-0x0000000009F40000-0x000000000A04A000-memory.dmp

Filesize
1.0MB

Download
memory/540-45-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/540-46-0x0000000002270000-0x0000000002276000-memory.dmp

Filesize
24KB

Download
memory/540-47-0x000000000A3F0000-0x000000000AA08000-memory.dmp

Filesize
6.1MB

Download
memory/2436-21-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

Filesize
40KB

Download
memory/2436-22-0x00007FFCF97E3000-0x00007FFCF97E5000-memory.dmp

Filesize
8KB

Download
memory/3224-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3224-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download