amadey | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe
Size

812KB
MD5

269e4463c32ae30693d623724642b34b
SHA1

db7310a4b793e4889d18652788269847a4ca0551
SHA256

346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17
SHA512

c5c2084f0aa7e829307c0e592aa11d5030a92f83f8f7f955b92c478070b2cd1ca25f10f2adcf958b8a9315fa72305787f8bc18dfaad149c410943871fb410100
SSDEEP

12288:7MrIy90Y0bOk0fpuuupA7G7boeBnDjtYIFEIzKYQl3GiXhgnmUK0ct:Py90bgQKKHoefsXXGmnt

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

g2929203.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g2929203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g2929203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g2929203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g2929203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g2929203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g2929203.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3991898.exe	family_redline
behavioral5/memory/2240-75-0x00000000004D0000-0x0000000000500000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

h5781387.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	h5781387.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

Processes:

x6521883.exex1483107.exex3498497.exeg2929203.exeh5781387.exesaves.exei3991898.exesaves.exesaves.exe

pid process

5104 x6521883.exe
3788 x1483107.exe
3408 x3498497.exe
4328 g2929203.exe
2416 h5781387.exe
4448 saves.exe
2240 i3991898.exe
1836 saves.exe
3100 saves.exe

pid	process
5104	x6521883.exe
3788	x1483107.exe
3408	x3498497.exe
4328	g2929203.exe
2416	h5781387.exe
4448	saves.exe
2240	i3991898.exe
1836	saves.exe
3100	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

g2929203.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g2929203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g2929203.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exex6521883.exex1483107.exex3498497.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6521883.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1483107.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3498497.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3640 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

g2929203.exe

pid process

4328 g2929203.exe
4328 g2929203.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

g2929203.exe

description pid process

Token: SeDebugPrivilege 4328 g2929203.exe

pid	process
3640	schtasks.exe

pid	process
4328	g2929203.exe
4328	g2929203.exe

description	pid	process
Token: SeDebugPrivilege	4328	g2929203.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exex6521883.exex1483107.exex3498497.exeh5781387.exesaves.execmd.exe

description	pid	process	target process
PID 4648 wrote to memory of 5104	4648	346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe	x6521883.exe
PID 4648 wrote to memory of 5104	4648	346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe	x6521883.exe
PID 4648 wrote to memory of 5104	4648	346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe	x6521883.exe
PID 5104 wrote to memory of 3788	5104	x6521883.exe	x1483107.exe
PID 5104 wrote to memory of 3788	5104	x6521883.exe	x1483107.exe
PID 5104 wrote to memory of 3788	5104	x6521883.exe	x1483107.exe
PID 3788 wrote to memory of 3408	3788	x1483107.exe	x3498497.exe
PID 3788 wrote to memory of 3408	3788	x1483107.exe	x3498497.exe
PID 3788 wrote to memory of 3408	3788	x1483107.exe	x3498497.exe
PID 3408 wrote to memory of 4328	3408	x3498497.exe	g2929203.exe
PID 3408 wrote to memory of 4328	3408	x3498497.exe	g2929203.exe
PID 3408 wrote to memory of 4328	3408	x3498497.exe	g2929203.exe
PID 3408 wrote to memory of 2416	3408	x3498497.exe	h5781387.exe
PID 3408 wrote to memory of 2416	3408	x3498497.exe	h5781387.exe
PID 3408 wrote to memory of 2416	3408	x3498497.exe	h5781387.exe
PID 2416 wrote to memory of 4448	2416	h5781387.exe	saves.exe
PID 2416 wrote to memory of 4448	2416	h5781387.exe	saves.exe
PID 2416 wrote to memory of 4448	2416	h5781387.exe	saves.exe
PID 3788 wrote to memory of 2240	3788	x1483107.exe	i3991898.exe
PID 3788 wrote to memory of 2240	3788	x1483107.exe	i3991898.exe
PID 3788 wrote to memory of 2240	3788	x1483107.exe	i3991898.exe
PID 4448 wrote to memory of 3640	4448	saves.exe	schtasks.exe
PID 4448 wrote to memory of 3640	4448	saves.exe	schtasks.exe
PID 4448 wrote to memory of 3640	4448	saves.exe	schtasks.exe
PID 4448 wrote to memory of 4964	4448	saves.exe	cmd.exe
PID 4448 wrote to memory of 4964	4448	saves.exe	cmd.exe
PID 4448 wrote to memory of 4964	4448	saves.exe	cmd.exe
PID 4964 wrote to memory of 4216	4964	cmd.exe	cmd.exe
PID 4964 wrote to memory of 4216	4964	cmd.exe	cmd.exe
PID 4964 wrote to memory of 4216	4964	cmd.exe	cmd.exe
PID 4964 wrote to memory of 3216	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 3216	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 3216	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 1292	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 1292	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 1292	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 3084	4964	cmd.exe	cmd.exe
PID 4964 wrote to memory of 3084	4964	cmd.exe	cmd.exe
PID 4964 wrote to memory of 3084	4964	cmd.exe	cmd.exe
PID 4964 wrote to memory of 4944	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 4944	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 4944	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 4556	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 4556	4964	cmd.exe	cacls.exe
PID 4964 wrote to memory of 4556	4964	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe
"C:\Users\Admin\AppData\Local\Temp\346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6521883.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6521883.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1483107.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1483107.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3498497.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3498497.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2929203.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2929203.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5781387.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5781387.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3991898.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3991898.exe
      4⤵
      Executes dropped EXE
      PID:2240

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6521883.exe

Filesize
706KB

MD5
0763ca1c64cc5d29bda07306722614f1

SHA1
03fcc80c7940a5accdcfa251f34c55c29d1d106b

SHA256
80e0d62f51727fea8d0da497d30511ad149b5aa1c4944acd020637622c5007d5

SHA512
1ef07fd2b285800e2ea2baaf0265773780bfe805e6fe65aa7af971b8c34763294d7337c02665effbe1ca40896b91dbb45e80a2a34067f80569b4551ae02d39b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1483107.exe

Filesize
540KB

MD5
22f55faf5ff2643f36c14db9e1393fe0

SHA1
7ac121a727716b98893c46082849c19e77fef19c

SHA256
0e509f547462afe2a6b50ef6959775a804f7d440e7947d740414b1d8faab33c2

SHA512
d21afa3a1262aa3bdefac5a1181f2941ecdb7424821cfb39c1585abd0a9b3942aa0a63928c9721c30243147500beb69bd2693c21f1599daa2d862065870616b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3991898.exe

Filesize
174KB

MD5
3849daffb54a3377df118d62a3d0664b

SHA1
8259badf722b829f45b9fcb922ef8f9ec9807432

SHA256
b1b12942d01e8546de92bd179ccfea2ab3d9b41a6d298ac38a58aa6ad8a2ca47

SHA512
c011e21d234471ae6948970c3d30fd01ec317b3631eb0be1e8a6ae500c86ae398c18851651ccdf00282e971f3dee0db0425e63d60b7133ecb68f7580f799846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3498497.exe

Filesize
384KB

MD5
5ad859e5a3f5efb77b2ebb1cd9f44306

SHA1
d5e72cd705aed6cd9aa469751c0c94b491ddca34

SHA256
6d673a2f9c6eeb183f37491c0df1762e32d622a40c90398bee1b48fb67187967

SHA512
c4bfd90f2d88b0f8b123a182248c984ea7b12ecb2d2836cb02871f6bdcf422ed90e31e0640c5ee49972817cdbd85734e855b8572dc2780bf19aa9eeb360a56a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2929203.exe

Filesize
202KB

MD5
b6b56abcc344ebc6e4433f6355c7d1e2

SHA1
00c122061ed50983ff09ab81214d955aa3225b4c

SHA256
a286fe62701f48708c771eb642cb513c26792349bbe4a715032c526faa7e8acb

SHA512
9b43e0b91a236a535290f2c16544386311f34380f34a595f903a752428a7d376b92caebe233710ff39a57be8b70157f4ec4cbae37965f3ada02fde134abd64de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5781387.exe

Filesize
337KB

MD5
e1d28aeb461c4abe2776d08dd0dc3f1e

SHA1
d16c1a40884bb09e9c7c0413b7147a20a15149c4

SHA256
f66f818625d84921192a7b530b800556486eb9767a58862a5beb93adfdc35fcf

SHA512
cd0b20ec4472f9089ad0310fe664d1b4ea9db1b7b6480a3f41a4a5bc08d28fb535304b8e85abd5ff3a24192c643341b70b8597b2c43a40ae64ebf40af42a0fac

Download Submit
memory/2240-79-0x0000000004E40000-0x0000000004E52000-memory.dmp

Filesize
72KB

Download
memory/2240-78-0x0000000004FB0000-0x00000000050BA000-memory.dmp

Filesize
1.0MB

Download
memory/2240-77-0x00000000054C0000-0x0000000005AD8000-memory.dmp

Filesize
6.1MB

Download
memory/2240-76-0x00000000027C0000-0x00000000027C6000-memory.dmp

Filesize
24KB

Download
memory/2240-75-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/2240-80-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

Filesize
240KB

Download
memory/2240-81-0x0000000004F20000-0x0000000004F6C000-memory.dmp

Filesize
304KB

Download
memory/4328-46-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-50-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-44-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-42-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-38-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-36-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-34-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-32-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-31-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-49-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-52-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-54-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-56-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-58-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-40-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4328-30-0x00000000049A0000-0x00000000049BC000-memory.dmp

Filesize
112KB

Download
memory/4328-29-0x00000000049E0000-0x0000000004F84000-memory.dmp

Filesize
5.6MB

Download
memory/4328-28-0x0000000002100000-0x000000000211E000-memory.dmp

Filesize
120KB

Download