amadey | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe
Size

812KB
MD5

d7e04401772d93d83c33c32c5f33a602
SHA1

3c91a840591313764010ec32ee6a0dc5b5b40447
SHA256

928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca
SHA512

e5f33a36ed748c53165024bec39585b8b8312a6f68a54953f9d854265e009fcb2d34aec610ff98ce150a3e2aefca3e594ddbbb683e95f9edb962f06f39d575bb
SSDEEP

12288:dMr8y9062uW/X3IShA4Q7D2oRWidu+4lJGQmMLRrPv2ReCZdxnQ65gbpmwKK:pyqp3K4+D2rnbXGSiMCDylcK

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

g8205825.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g8205825.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g8205825.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g8205825.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g8205825.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g8205825.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g8205825.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6364755.exe	family_redline
behavioral15/memory/3664-75-0x0000000000090000-0x00000000000C0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

h3541577.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	h3541577.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

Processes:

x3897948.exex1990902.exex8551980.exeg8205825.exeh3541577.exesaves.exei6364755.exesaves.exesaves.exe

pid process

224 x3897948.exe
2112 x1990902.exe
4252 x8551980.exe
2644 g8205825.exe
772 h3541577.exe
872 saves.exe
3664 i6364755.exe
4948 saves.exe
4044 saves.exe

pid	process
224	x3897948.exe
2112	x1990902.exe
4252	x8551980.exe
2644	g8205825.exe
772	h3541577.exe
872	saves.exe
3664	i6364755.exe
4948	saves.exe
4044	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

g8205825.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g8205825.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g8205825.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exex3897948.exex1990902.exex8551980.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3897948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1990902.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8551980.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1780 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

g8205825.exe

pid process

2644 g8205825.exe
2644 g8205825.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

g8205825.exe

description pid process

Token: SeDebugPrivilege 2644 g8205825.exe

pid	process
1780	schtasks.exe

pid	process
2644	g8205825.exe
2644	g8205825.exe

description	pid	process
Token: SeDebugPrivilege	2644	g8205825.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exex3897948.exex1990902.exex8551980.exeh3541577.exesaves.execmd.exe

description	pid	process	target process
PID 5104 wrote to memory of 224	5104	928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe	x3897948.exe
PID 5104 wrote to memory of 224	5104	928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe	x3897948.exe
PID 5104 wrote to memory of 224	5104	928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe	x3897948.exe
PID 224 wrote to memory of 2112	224	x3897948.exe	x1990902.exe
PID 224 wrote to memory of 2112	224	x3897948.exe	x1990902.exe
PID 224 wrote to memory of 2112	224	x3897948.exe	x1990902.exe
PID 2112 wrote to memory of 4252	2112	x1990902.exe	x8551980.exe
PID 2112 wrote to memory of 4252	2112	x1990902.exe	x8551980.exe
PID 2112 wrote to memory of 4252	2112	x1990902.exe	x8551980.exe
PID 4252 wrote to memory of 2644	4252	x8551980.exe	g8205825.exe
PID 4252 wrote to memory of 2644	4252	x8551980.exe	g8205825.exe
PID 4252 wrote to memory of 2644	4252	x8551980.exe	g8205825.exe
PID 4252 wrote to memory of 772	4252	x8551980.exe	h3541577.exe
PID 4252 wrote to memory of 772	4252	x8551980.exe	h3541577.exe
PID 4252 wrote to memory of 772	4252	x8551980.exe	h3541577.exe
PID 772 wrote to memory of 872	772	h3541577.exe	saves.exe
PID 772 wrote to memory of 872	772	h3541577.exe	saves.exe
PID 772 wrote to memory of 872	772	h3541577.exe	saves.exe
PID 2112 wrote to memory of 3664	2112	x1990902.exe	i6364755.exe
PID 2112 wrote to memory of 3664	2112	x1990902.exe	i6364755.exe
PID 2112 wrote to memory of 3664	2112	x1990902.exe	i6364755.exe
PID 872 wrote to memory of 1780	872	saves.exe	schtasks.exe
PID 872 wrote to memory of 1780	872	saves.exe	schtasks.exe
PID 872 wrote to memory of 1780	872	saves.exe	schtasks.exe
PID 872 wrote to memory of 2260	872	saves.exe	cmd.exe
PID 872 wrote to memory of 2260	872	saves.exe	cmd.exe
PID 872 wrote to memory of 2260	872	saves.exe	cmd.exe
PID 2260 wrote to memory of 2620	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 2620	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 2620	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 2916	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 2916	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 2916	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 1348	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 1348	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 1348	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 3468	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 3468	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 3468	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 1628	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 1628	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 1628	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 4972	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 4972	2260	cmd.exe	cacls.exe
PID 2260 wrote to memory of 4972	2260	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe
"C:\Users\Admin\AppData\Local\Temp\928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3897948.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3897948.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1990902.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1990902.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8551980.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8551980.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8205825.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8205825.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3541577.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3541577.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
7⤵
- Creates scheduled task(s)
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:2620

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
8⤵
PID:2916

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
8⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:3468

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
8⤵
PID:1628

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
8⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6364755.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6364755.exe
4⤵
- Executes dropped EXE
PID:3664

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3897948.exe
Filesize
706KB

MD5
27379e251d23abe284cf5f9a3cfe60b8

SHA1
16170c21d537776effc57c7eb1336b34efac1269

SHA256
e7be2bc84a5eceb17fe5879d26729eb699f246a43cb5b4aee99efd2a656c4938

SHA512
dba6bf581d0b43cb1558dbb65cb7616b6ded2b5320bf539b11ea77ab95a5d81f17e97e513d4d64b2c6de1627d13a3934ac6335ac2e0282834f3143b01dd9a0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1990902.exe
Filesize
540KB

MD5
5e8f1b58f7aa360fa388ced6cda27e01

SHA1
1caffb04d42ce2c68d63ec9330e50c7e0e189353

SHA256
8ee8ea17ee37d7a170f5f1d1df5f12320002fc9ed36a5f4cc99c04d159fdd2b1

SHA512
9e6e10bc780b36ea41f69306d933b727ea86c28b54e61e4034b3429f7799c9f041565feebd3cf62ab2a680801f46192e84f1c933ed9ceb9b0d531f22774e0777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6364755.exe
Filesize
173KB

MD5
21e3eb2d785954439c4ceaa6d381b649

SHA1
d55ec6f8fd67b9489504d315ed6163cd11bb90dc

SHA256
e4c46bc5cc25860e26c1b0b08cf7b0632288ddca61c9e24b9b1f2f0b6c8c05b8

SHA512
491fa38e42c1a4b86f9cea55e619b20fe0b80c901d94f7e969e1ab4dc7df9dbb01777dd5f7f17c7312b7c51caf9b08f871b80d47eaa50cdc971c2f31986e721a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8551980.exe
Filesize
384KB

MD5
3a38875dc0f87686110aae94957897ec

SHA1
2e48324d37d02d8292d8797675a10ef8e11f05d4

SHA256
1574f9b89fa59c661ecfca17e6a3e59c6db359da6a1e5d608ea579e0d23b0768

SHA512
cb12b60a00dcf5dffa4131c52aa0d8856f90f60d4e1c693e600bd66d9c2d3f6634bb1448ba9cce64a66865c1a7b5ec306510f0da499502798da3a443ffb8b363

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8205825.exe
Filesize
185KB

MD5
9b63752dc73360c32845ffd48e118e6a

SHA1
ce862bc52b5b2917ceb3aab4bc4021327ca7629a

SHA256
c430d48b58a26eb09cbbc2af3c2df6543da3e022ec94239e734730647cf06a31

SHA512
62583ef56b18a2222b71620da3ccb1c7469911a5d26fef5585999092ba39d98c4ced2f318aa624a9e37ac6878ad6a88d38703fde2b80595a233aee629b63517c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3541577.exe
Filesize
336KB

MD5
88e85a8065d082e2336d93142af8d402

SHA1
e6711655405840b7ca4efc7172cbccdbeee220db

SHA256
ef2a3f5c2b5036b64a6c1534635f41a01bca481722a3ceec98dae0c5ff6fa3b9

SHA512
4624e06650bfdbe46c1e26aee31e50377c6c2e9b0cf132558f0d645ab7d9b302dc56a085e2f8beb72a8eb57f61ab005a2e545c0267f642939eb99792e4fb74f6

Download Submit
memory/2644-38-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-54-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-58-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-50-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-48-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-46-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-42-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-40-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-30-0x0000000004AE0000-0x0000000004AFC000-memory.dmp

Filesize
112KB

Download
memory/2644-36-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-34-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-32-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-31-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-56-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-52-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-44-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/2644-29-0x0000000004C40000-0x00000000051E4000-memory.dmp

Filesize
5.6MB

Download
memory/2644-28-0x0000000002300000-0x000000000231E000-memory.dmp

Filesize
120KB

Download
memory/3664-75-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/3664-76-0x0000000006D40000-0x0000000006D46000-memory.dmp

Filesize
24KB

Download
memory/3664-77-0x0000000004FE0000-0x00000000055F8000-memory.dmp

Filesize
6.1MB

Download
memory/3664-78-0x0000000004AD0000-0x0000000004BDA000-memory.dmp

Filesize
1.0MB

Download
memory/3664-79-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3664-80-0x0000000004A60000-0x0000000004A9C000-memory.dmp

Filesize
240KB

Download
memory/3664-81-0x0000000004BE0000-0x0000000004C2C000-memory.dmp

Filesize
304KB

Download