amadey | 54a724762de2b08068bc2bf0fc6c7404bb89bdf62f75cac32b4fb8687c10c747

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe
Size

514KB
MD5

2993a209322f7d93406fd78632f4a545
SHA1

e141503a5dc185ee91e131b8404ee5f563ff1cd1
SHA256

cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3
SHA512

cb8d9e79b3ed4ba5711cd8933590ce1dd9e349f7a399c38650a1b3611c4a50a415f0b7de91701f3e77e8297d38bb433fc7fb3d53cfd1e46e76f99772aeabfc3b
SSDEEP

12288:cMrzy90i9beiGTgODcYq3pB/npmVb66azq:vy/bhGT5Pq3Lhm/

Score

10^/10

amadey healer redline smokeloader nasa backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe	healer
behavioral13/memory/1756-22-0x0000000000F90000-0x0000000000F9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a0825239.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0825239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0825239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0825239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0825239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0825239.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0825239.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe	family_redline
behavioral13/memory/3132-45-0x0000000000760000-0x0000000000790000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b4802302.exedanke.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b4802302.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 9 IoCs

Processes:

v4435054.exev6076158.exea0825239.exeb4802302.exedanke.exec6942777.exedanke.exed8501327.exedanke.exe

pid process

2836 v4435054.exe
4684 v6076158.exe
1756 a0825239.exe
4376 b4802302.exe
4108 danke.exe
2368 c6942777.exe
4476 danke.exe
3132 d8501327.exe
1720 danke.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a0825239.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0825239.exe

pid	process
2836	v4435054.exe
4684	v6076158.exe
1756	a0825239.exe
4376	b4802302.exe
4108	danke.exe
2368	c6942777.exe
4476	danke.exe
3132	d8501327.exe
1720	danke.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0825239.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exev4435054.exev6076158.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4435054.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6076158.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c6942777.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6942777.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6942777.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6942777.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3812 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a0825239.exe

pid process

1756 a0825239.exe
1756 a0825239.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a0825239.exe

description pid process

Token: SeDebugPrivilege 1756 a0825239.exe

pid	process
3812	schtasks.exe

pid	process
1756	a0825239.exe
1756	a0825239.exe

description	pid	process
Token: SeDebugPrivilege	1756	a0825239.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exev4435054.exev6076158.exeb4802302.exedanke.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 2836	1492	cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe	v4435054.exe
PID 1492 wrote to memory of 2836	1492	cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe	v4435054.exe
PID 1492 wrote to memory of 2836	1492	cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe	v4435054.exe
PID 2836 wrote to memory of 4684	2836	v4435054.exe	v6076158.exe
PID 2836 wrote to memory of 4684	2836	v4435054.exe	v6076158.exe
PID 2836 wrote to memory of 4684	2836	v4435054.exe	v6076158.exe
PID 4684 wrote to memory of 1756	4684	v6076158.exe	a0825239.exe
PID 4684 wrote to memory of 1756	4684	v6076158.exe	a0825239.exe
PID 4684 wrote to memory of 4376	4684	v6076158.exe	b4802302.exe
PID 4684 wrote to memory of 4376	4684	v6076158.exe	b4802302.exe
PID 4684 wrote to memory of 4376	4684	v6076158.exe	b4802302.exe
PID 4376 wrote to memory of 4108	4376	b4802302.exe	danke.exe
PID 4376 wrote to memory of 4108	4376	b4802302.exe	danke.exe
PID 4376 wrote to memory of 4108	4376	b4802302.exe	danke.exe
PID 2836 wrote to memory of 2368	2836	v4435054.exe	c6942777.exe
PID 2836 wrote to memory of 2368	2836	v4435054.exe	c6942777.exe
PID 2836 wrote to memory of 2368	2836	v4435054.exe	c6942777.exe
PID 4108 wrote to memory of 3812	4108	danke.exe	schtasks.exe
PID 4108 wrote to memory of 3812	4108	danke.exe	schtasks.exe
PID 4108 wrote to memory of 3812	4108	danke.exe	schtasks.exe
PID 4108 wrote to memory of 804	4108	danke.exe	cmd.exe
PID 4108 wrote to memory of 804	4108	danke.exe	cmd.exe
PID 4108 wrote to memory of 804	4108	danke.exe	cmd.exe
PID 804 wrote to memory of 4468	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 4468	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 4468	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 3136	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 3136	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 3136	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 1700	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 1700	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 1700	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 1468	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 1468	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 1468	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 3832	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 3832	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 3832	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 4240	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 4240	804	cmd.exe	cacls.exe
PID 804 wrote to memory of 4240	804	cmd.exe	cacls.exe
PID 1492 wrote to memory of 3132	1492	cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe	d8501327.exe
PID 1492 wrote to memory of 3132	1492	cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe	d8501327.exe
PID 1492 wrote to memory of 3132	1492	cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe	d8501327.exe

C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe
"C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
6⤵
- Creates scheduled task(s)
PID:3812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4468

C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
7⤵
PID:3136

C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
7⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1468

C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
7⤵
PID:3832

C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
7⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
2⤵
- Executes dropped EXE
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3644,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
1⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
Filesize
173KB

MD5
12c1ab680089f44c182ab0d1f4a95ae1

SHA1
4a9cfa25e4810ff2428356308e3317aee191d541

SHA256
4a62ceddedc8c2a3cd54f23196890111038241c4f792ebd949d80385cad0f3f5

SHA512
46682624d94f3131db1b196d6bb47ac6e367045fc779a309d8433fc54e6f9ef6edbf99479f976437e5601b9e5f479909bbb46a353f07416790892641c64764ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
Filesize
359KB

MD5
91933e51696584a07d7c09e2e13141f5

SHA1
0f24a6ac68fb31fb27b7c2a0710ad37019447204

SHA256
51b3eccbb193d1455e060d100fcbf91133f137aebc267fb4b9a4b91952126498

SHA512
ccaf03c65b0ae52dad65d5395d16aedb6abe777962a4c6f5cfeb1831d41ed0d0bba6c2d6e62071337b5bfcb34996d68e94ece6bb56110c88f49719d7be2c45c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
Filesize
32KB

MD5
ecaccb61a433da4a9745317a688738ed

SHA1
54aad35ff3dbb45a12263306af2a409e56ffa5a0

SHA256
35c335eb5c241a978210148f6886ca0ee20bcd368b17bbaf15eaac5465d14132

SHA512
d4379e9fad838589d447b1a7494f5fff9e9c8797e24bdab00fe3a9f5704135e6263e15432b3dc1fa6c719e93a20271962be87f3be0873f78d7b83d0a4f31dea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
Filesize
235KB

MD5
0711e5b846ebcd95fdcce83aa82ee27d

SHA1
87975557ea8e9efda716a9377dde46b57a7662e8

SHA256
06193190d3c01ff9e2fa5eafb338a958d74abbe89259f7f70391df0721f9a332

SHA512
26fbf12831309e5dd644a73743cd518afff4e9a582893302588ac60552c191e3d21dcd5c2e3cd13fc70ede345aa7ae2e05785e10cd2fc23d0d78cb61153f0c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
Filesize
14KB

MD5
7142af778ac7df1f47ee0f67c5969d10

SHA1
1c951387ce612014321c82bb225b7ca674bc3dd8

SHA256
bbcf2054c9add3d18e308671ee5b1f3cebe898baf3634394b5bbb4c3855c512c

SHA512
d96b464e2e156dbb4afd6cde6f916398db0a6883914a71e682d4170e14b0047a8e59b0b1a5762addeff2b54ef0347cf6dde4e7032bd54d3845ba610616dfa17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
Filesize
227KB

MD5
270a148b44bad929ed1a4adc8cbd94a2

SHA1
55a61daf7fa7f81317d3bacf86064cf27eab3649

SHA256
f125c5d00d3075ed916a60e58897b960eee948a141f793577ad013c85cb91809

SHA512
e9ae358b7e659403326f4da5196217636e24dc09b68c487bd62523d3390ed727247b9a74ecad802277b9d831f95e645e7b40bfe162cf08f6fd3340eb82109c59

Download Submit
memory/1756-22-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/1756-21-0x00007FFC3ED03000-0x00007FFC3ED05000-memory.dmp

Filesize
8KB

Download
memory/2368-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3132-45-0x0000000000760000-0x0000000000790000-memory.dmp

Filesize
192KB

Download
memory/3132-46-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/3132-47-0x000000000AC00000-0x000000000B218000-memory.dmp

Filesize
6.1MB

Download
memory/3132-48-0x000000000A710000-0x000000000A81A000-memory.dmp

Filesize
1.0MB

Download
memory/3132-49-0x000000000A650000-0x000000000A662000-memory.dmp

Filesize
72KB

Download
memory/3132-50-0x000000000A6B0000-0x000000000A6EC000-memory.dmp

Filesize
240KB

Download
memory/3132-51-0x0000000004AB0000-0x0000000004AFC000-memory.dmp

Filesize
304KB

Download