amadey | 54a724762de2b08068bc2bf0fc6c7404bb89bdf62f75cac32b4fb8687c10c747

Analysis

max time kernel
147s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe
Size

514KB
MD5

805f458c4e4cafdc121c09022e7065a1
SHA1

a7876edbb4b0df6770d9de1b3eec3d10b9341f0b
SHA256

68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a
SHA512

49ae31bcc03ce37884dea632ae0e2f2b46a145d2fbf081f83ab9854aef849a6988a3bc614676f50c9ea2fa209fad269cec271fffaa08fdca610494aea4ecc840
SSDEEP

12288:6Mr+y90vfhcrO1YnhEibozGpgA5UcjKy+:8ykfOrcYloyaKKD

Score

10^/10

amadey healer redline smokeloader grom backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

grom

77.91.68.68:19071

Attributes

auth_value
9ec3129bff410b89097d656d7abc33dc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1520981.exe	healer
behavioral5/memory/3596-21-0x0000000000F70000-0x0000000000F7A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a1520981.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1520981.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1520981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1520981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1520981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1520981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1520981.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8390114.exe	family_redline
behavioral5/memory/3824-44-0x0000000000470000-0x00000000004A0000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b7964864.exedanke.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b7964864.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 9 IoCs

Processes:

v3918201.exev8728502.exea1520981.exeb7964864.exedanke.exec5132843.exed8390114.exedanke.exedanke.exe

pid process

1804 v3918201.exe
1016 v8728502.exe
3596 a1520981.exe
5420 b7964864.exe
5400 danke.exe
5596 c5132843.exe
3824 d8390114.exe
5756 danke.exe
2224 danke.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a1520981.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1520981.exe

pid	process
1804	v3918201.exe
1016	v8728502.exe
3596	a1520981.exe
5420	b7964864.exe
5400	danke.exe
5596	c5132843.exe
3824	d8390114.exe
5756	danke.exe
2224	danke.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1520981.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

v3918201.exev8728502.exe68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3918201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8728502.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c5132843.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5132843.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5132843.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5132843.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5704 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1520981.exe

pid process

3596 a1520981.exe
3596 a1520981.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1520981.exe

description pid process

Token: SeDebugPrivilege 3596 a1520981.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b7964864.exe

pid process

5420 b7964864.exe

pid	process
5704	schtasks.exe

pid	process
3596	a1520981.exe
3596	a1520981.exe

description	pid	process
Token: SeDebugPrivilege	3596	a1520981.exe

pid	process
5420	b7964864.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exev3918201.exev8728502.exeb7964864.exedanke.execmd.exe

description	pid	process	target process
PID 1336 wrote to memory of 1804	1336	68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe	v3918201.exe
PID 1336 wrote to memory of 1804	1336	68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe	v3918201.exe
PID 1336 wrote to memory of 1804	1336	68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe	v3918201.exe
PID 1804 wrote to memory of 1016	1804	v3918201.exe	v8728502.exe
PID 1804 wrote to memory of 1016	1804	v3918201.exe	v8728502.exe
PID 1804 wrote to memory of 1016	1804	v3918201.exe	v8728502.exe
PID 1016 wrote to memory of 3596	1016	v8728502.exe	a1520981.exe
PID 1016 wrote to memory of 3596	1016	v8728502.exe	a1520981.exe
PID 1016 wrote to memory of 5420	1016	v8728502.exe	b7964864.exe
PID 1016 wrote to memory of 5420	1016	v8728502.exe	b7964864.exe
PID 1016 wrote to memory of 5420	1016	v8728502.exe	b7964864.exe
PID 5420 wrote to memory of 5400	5420	b7964864.exe	danke.exe
PID 5420 wrote to memory of 5400	5420	b7964864.exe	danke.exe
PID 5420 wrote to memory of 5400	5420	b7964864.exe	danke.exe
PID 1804 wrote to memory of 5596	1804	v3918201.exe	c5132843.exe
PID 1804 wrote to memory of 5596	1804	v3918201.exe	c5132843.exe
PID 1804 wrote to memory of 5596	1804	v3918201.exe	c5132843.exe
PID 5400 wrote to memory of 5704	5400	danke.exe	schtasks.exe
PID 5400 wrote to memory of 5704	5400	danke.exe	schtasks.exe
PID 5400 wrote to memory of 5704	5400	danke.exe	schtasks.exe
PID 5400 wrote to memory of 2292	5400	danke.exe	cmd.exe
PID 5400 wrote to memory of 2292	5400	danke.exe	cmd.exe
PID 5400 wrote to memory of 2292	5400	danke.exe	cmd.exe
PID 2292 wrote to memory of 492	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 492	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 492	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 2024	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 2024	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 2024	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4216	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4216	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4216	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 1924	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 1924	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 1924	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 5132	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 5132	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 5132	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 460	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 460	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 460	2292	cmd.exe	cacls.exe
PID 1336 wrote to memory of 3824	1336	68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe	d8390114.exe
PID 1336 wrote to memory of 3824	1336	68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe	d8390114.exe
PID 1336 wrote to memory of 3824	1336	68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe	d8390114.exe

C:\Users\Admin\AppData\Local\Temp\68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe
"C:\Users\Admin\AppData\Local\Temp\68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3918201.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3918201.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8728502.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8728502.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1520981.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1520981.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7964864.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7964864.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5420
    - - C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5400
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:5704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:N"
        7⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:R" /E
        7⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:N"
        7⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:R" /E
        7⤵
        
        PID:460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5132843.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5132843.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:5596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8390114.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8390114.exe
  2⤵
  - Executes dropped EXE
  PID:3824

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:5756

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8390114.exe

Filesize
173KB

MD5
8057a194266577b4c40a403b7132883d

SHA1
48e608a3d8318d958ff39e6d86c92300f25697b9

SHA256
97ffdc0bcd30df2761422c722ec2b0cbd18671e1e76aa4fc3e4074869c6cd644

SHA512
b49ec55343454f6e1ca92c7b5617ab73465d9953750757b51d78f40468d3aa1314e4f2ff567a348331bbf3111e3d7f9a642a7935b0d7e1d91fc35bcda1694ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3918201.exe

Filesize
359KB

MD5
6e73bdbfa5d08ebf1d73023e9ee727dc

SHA1
b9ee6a750155a8c2642b5bf3437fda9007678507

SHA256
609302e9708f446dc5473b29cacf3c8e4187ad07ea6c88850f242573287ab897

SHA512
1277e15f9c2e89d70209034f19533481c9576603e00dedb10867197b1ace4fdf99104b950d8b464010dd3e564cbfdc41fed20f5b06cab637156852ecd05f9d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5132843.exe

Filesize
33KB

MD5
e4310852aa5e6ffcec01b7a96a99f8d3

SHA1
9061a6968a4c1d86c6c566306067507bbb9a3e5c

SHA256
242c37b2da275f6caf39aee903155e18501a605549ee169cb0a9086f23fa6250

SHA512
ec96f4c0008a67bed43278dd18e28c599e52ff75645377afa7292c4223329ed543f303160ac565d32e155a6df1ed084352d78c786d44c00d23a7dadade9bd614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8728502.exe

Filesize
235KB

MD5
7e1c0acf0982e20ee5997894b1883c97

SHA1
85725fed96c43bdf60406f80227d08694c86a72b

SHA256
e0977088957e4b9c31b6b71eb74f47c24b020d3ab8378b8fedf317a4aa03e2fa

SHA512
c0385b7b09d6f892a22485bcde9a5779182e34b4ada86e89387556a0631e35f89e816c49537a0acee712e8da896b98a1f229dcfbbfaaa0395508bbd7e7130040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1520981.exe

Filesize
11KB

MD5
1064c8e873b8ef7b683a5228cbc88b8b

SHA1
18fd3ab0f542ae640f158b5ac20615c4b1940699

SHA256
cad5902d256fd6e9f3a64166925193a0ffbe66db4ec317b38bb76050f3367787

SHA512
db04baf087525ab2c23221a977d970ea6c280975c94895d007f676af4ed66b9787c0ab23cf2282046504ef40cf7e936dbd6b57a777f4039ebaf6de17f0fd327d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7964864.exe

Filesize
228KB

MD5
e520652f2d0117c0399e40ecdd867ef2

SHA1
efdc1c767bb298ecad98b0c88e4e0e960559e23c

SHA256
72b1c2d3c1dc93b72614111d2a82ac0573112f98c20dd78ccb292860c1ccb8e0

SHA512
060d151bfc6576b6c87def2260c34a90c17d9d3b3384cba446fad221c6994e0989f61ae25b00450384f24813b3014027f391b6d4e829baeb0ab1af891a41bbc6

Download Submit
memory/3596-22-0x00007FFA030A3000-0x00007FFA030A5000-memory.dmp

Filesize
8KB

Download
memory/3596-21-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/3824-44-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/3824-45-0x0000000001090000-0x0000000001096000-memory.dmp

Filesize
24KB

Download
memory/3824-46-0x000000000A910000-0x000000000AF28000-memory.dmp

Filesize
6.1MB

Download
memory/3824-47-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1.0MB

Download
memory/3824-48-0x000000000A360000-0x000000000A372000-memory.dmp

Filesize
72KB

Download
memory/3824-49-0x000000000A3C0000-0x000000000A3FC000-memory.dmp

Filesize
240KB

Download
memory/3824-50-0x0000000001010000-0x000000000105C000-memory.dmp

Filesize
304KB

Download
memory/5596-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download