amadey | 5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe
Size

805KB
MD5

7aeb09bb57206fc4c34cdceccc7ab340
SHA1

270c694409562e116dcdd44c5ce63b2a4f8bdccb
SHA256

d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34
SHA512

bd548655a57783f2c34ba4c11bc595112840266de1d68f939e888b399a3329cce74d604de6bc0f9efd47c292d5804d76307c520aede442378893c4828ee3d619
SSDEEP

12288:qMrsy903vnIAAzzFM8VzjAJNRK47lnoj8eI4BOx4aBFrx9OX2EkDWWSMEidlk:SyyPIdzzW8psxLxno49N9CGpitb

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g3381214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g3381214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g3381214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g3381214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g3381214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g3381214.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x000700000002342a-74.dat	family_redline
behavioral10/memory/2356-75-0x0000000000CC0000-0x0000000000CF0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	h8357651.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

pid	Process
964	x3964572.exe
212	x0454216.exe
224	x8870532.exe
1832	g3381214.exe
2472	h8357651.exe
2656	saves.exe
2356	i4283919.exe
4816	saves.exe
3392	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g3381214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g3381214.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3964572.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0454216.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8870532.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1832	g3381214.exe
1832	g3381214.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	g3381214.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 964	4232	d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe	84
PID 4232 wrote to memory of 964	4232	d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe	84
PID 4232 wrote to memory of 964	4232	d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe	84
PID 964 wrote to memory of 212	964	x3964572.exe	85
PID 964 wrote to memory of 212	964	x3964572.exe	85
PID 964 wrote to memory of 212	964	x3964572.exe	85
PID 212 wrote to memory of 224	212	x0454216.exe	86
PID 212 wrote to memory of 224	212	x0454216.exe	86
PID 212 wrote to memory of 224	212	x0454216.exe	86
PID 224 wrote to memory of 1832	224	x8870532.exe	87
PID 224 wrote to memory of 1832	224	x8870532.exe	87
PID 224 wrote to memory of 1832	224	x8870532.exe	87
PID 224 wrote to memory of 2472	224	x8870532.exe	99
PID 224 wrote to memory of 2472	224	x8870532.exe	99
PID 224 wrote to memory of 2472	224	x8870532.exe	99
PID 2472 wrote to memory of 2656	2472	h8357651.exe	100
PID 2472 wrote to memory of 2656	2472	h8357651.exe	100
PID 2472 wrote to memory of 2656	2472	h8357651.exe	100
PID 212 wrote to memory of 2356	212	x0454216.exe	101
PID 212 wrote to memory of 2356	212	x0454216.exe	101
PID 212 wrote to memory of 2356	212	x0454216.exe	101
PID 2656 wrote to memory of 2088	2656	saves.exe	102
PID 2656 wrote to memory of 2088	2656	saves.exe	102
PID 2656 wrote to memory of 2088	2656	saves.exe	102
PID 2656 wrote to memory of 2888	2656	saves.exe	104
PID 2656 wrote to memory of 2888	2656	saves.exe	104
PID 2656 wrote to memory of 2888	2656	saves.exe	104
PID 2888 wrote to memory of 3732	2888	cmd.exe	106
PID 2888 wrote to memory of 3732	2888	cmd.exe	106
PID 2888 wrote to memory of 3732	2888	cmd.exe	106
PID 2888 wrote to memory of 2604	2888	cmd.exe	107
PID 2888 wrote to memory of 2604	2888	cmd.exe	107
PID 2888 wrote to memory of 2604	2888	cmd.exe	107
PID 2888 wrote to memory of 2364	2888	cmd.exe	108
PID 2888 wrote to memory of 2364	2888	cmd.exe	108
PID 2888 wrote to memory of 2364	2888	cmd.exe	108
PID 2888 wrote to memory of 2336	2888	cmd.exe	109
PID 2888 wrote to memory of 2336	2888	cmd.exe	109
PID 2888 wrote to memory of 2336	2888	cmd.exe	109
PID 2888 wrote to memory of 1140	2888	cmd.exe	110
PID 2888 wrote to memory of 1140	2888	cmd.exe	110
PID 2888 wrote to memory of 1140	2888	cmd.exe	110
PID 2888 wrote to memory of 400	2888	cmd.exe	111
PID 2888 wrote to memory of 400	2888	cmd.exe	111
PID 2888 wrote to memory of 400	2888	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe
"C:\Users\Admin\AppData\Local\Temp\d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3964572.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3964572.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0454216.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0454216.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8870532.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8870532.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3381214.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3381214.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8357651.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8357651.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:400
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4283919.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4283919.exe
      4⤵
      Executes dropped EXE
      PID:2356

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3964572.exe

Filesize
706KB

MD5
e84a8b8203b117a8432f224a5a3d72a5

SHA1
238ace86693f490ec454f7fea34e62802377a394

SHA256
905c5c4baffd72ba0bdbcb769ef0b2368f1fe4cdf9022c4a35f6343689f5a40d

SHA512
1029e882f018569f7ed42f00ec9cdb42e19accc8f851d4e2e86bdfec0467588aab9f561ed9dd6a421558cdd1d5276bcb4c93d4a12ea64d1f6e16a8ae097d73c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0454216.exe

Filesize
540KB

MD5
f22e2da98a23848f53913aad7edf83cc

SHA1
0ead7e024e4ba1675c0edb00225befa41a8379bf

SHA256
568665c32f7431a42377d0204b340a8d918a30c176fe6e3361177d98e81ddc0e

SHA512
6071c09793994ea45abaf0634eaa8e3bc204a03659011df98a558c079c9e599f73853429ac5cd8111c3a1f51f52786046c078c3ea2cc0f678d8036c0fdf4f3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4283919.exe

Filesize
173KB

MD5
528e14b12a0a82da5cc81c967a1e58eb

SHA1
0c75e56af31b3c3cc367b4d5d13b2b7bf223757a

SHA256
7721810e029c1096d6639c9eefae1a49b0ddd934a826fc381d974f8a11d0e8e5

SHA512
a6eb7a3cc9944069fcdfd4cff2365ef1ab24368916324b9f27ab240ee1dfdf8fc0959a827065c2addef0d1e31284ccaf017e37d7cd3e45cb919719f71db794a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8870532.exe

Filesize
384KB

MD5
a0a563ce32f17e7843afd3123e9e7424

SHA1
4043f1108704cc96b5cc911fca9d8276c2ccb5ac

SHA256
0f0a4e57e235c02b3da8d2083410957e78e02b0ab59dbbc1f4798cd42a5dff78

SHA512
1ffc62495b91250596e1c91ecddd896949180d992dcdf3b03150f018f6863d3675743a14abb31bcc0526c2f846c96e547caee2fc1d82ebabcfe83dee5ea8d10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3381214.exe

Filesize
185KB

MD5
0ce3bdb0c611d91ac39e10a7e3006519

SHA1
21ea6c019d9ce826130f4c30d7c5838f3ba3e1aa

SHA256
21ab2770d45578ddf1718dbdb0e9a6f2e40f28f854139197d91214108bfc5b41

SHA512
51589fbe1935f9f8a05dcfa80bcd163aaf42cc8a61aa5eab637ce554f90768b31c1df0c5eb7fadce86baf8f940f1c9a751f01960796c87076f0e21948b842a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8357651.exe

Filesize
336KB

MD5
1b82193c8c05ef6b71cd7c0b8d457216

SHA1
5aa2ccbae2615327243567761c749ee85bc42ee4

SHA256
766db7db6f59976098abb88038212cc93e6a53ceac53c3cead753142388d1c40

SHA512
08129bea69fb0744f0b161c2a70f621e9f4ad4a93f10f594c5640cb4d72f13e516041502d5f8490cce80fd62df826c650c22050d77677f379a06b8e1b8d06e2c

Download Submit
memory/1832-47-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-34-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-45-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-58-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-56-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-53-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-51-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-48-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-30-0x0000000002350000-0x000000000236C000-memory.dmp

Filesize
112KB

Download
memory/1832-42-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-40-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-38-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-36-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-31-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-32-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-54-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/1832-29-0x0000000004A00000-0x0000000004FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1832-28-0x00000000022C0000-0x00000000022DE000-memory.dmp

Filesize
120KB

Download
memory/2356-75-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

Filesize
192KB

Download
memory/2356-76-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/2356-77-0x0000000005C90000-0x00000000062A8000-memory.dmp

Filesize
6.1MB

Download
memory/2356-78-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/2356-79-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/2356-80-0x00000000056B0000-0x00000000056EC000-memory.dmp

Filesize
240KB

Download
memory/2356-81-0x00000000056F0000-0x000000000573C000-memory.dmp

Filesize
304KB

Download