amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
Size

845KB
MD5

48567c75c4c768747990b660f8c98486
SHA1

c5d74fb54ab54eb6097414ab1a4c3f80481dfdbc
SHA256

b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5
SHA512

352575ff5f4c3d71905472f5fa1821bd89c0a74f2f66eec4a8529a05ff8155e24fb095fff87c9b425a855f94bd2e29178faa2a8b1bbf4d45c5dce2601f147cb2
SSDEEP

24576:wyTGPDzqeWDz0usMLfZU1nloJ6e6uVQgEb:3SP/9+z0usCq1nmLFE

Score

10^/10

amadey healer redline fb0fb8 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral12/files/0x0008000000023492-34.dat	healer
behavioral12/memory/4484-35-0x0000000000390000-0x000000000039A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6317664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6317664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6317664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6317664.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q6317664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6317664.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/files/0x0007000000023490-50.dat	family_redline
behavioral12/memory/3092-52-0x0000000000140000-0x0000000000170000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	r3534172.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 11 IoCs

pid	Process
1980	z0767174.exe
2928	z7195821.exe
1432	z9272765.exe
4828	z0303318.exe
4484	q6317664.exe
1600	r3534172.exe
3592	explonde.exe
3092	s5081066.exe
3084	explonde.exe
4544	explonde.exe
468	explonde.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6317664.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0767174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7195821.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9272765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0303318.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3668	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4484	q6317664.exe
4484	q6317664.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	q6317664.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1980	3328	b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe	83
PID 3328 wrote to memory of 1980	3328	b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe	83
PID 3328 wrote to memory of 1980	3328	b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe	83
PID 1980 wrote to memory of 2928	1980	z0767174.exe	84
PID 1980 wrote to memory of 2928	1980	z0767174.exe	84
PID 1980 wrote to memory of 2928	1980	z0767174.exe	84
PID 2928 wrote to memory of 1432	2928	z7195821.exe	85
PID 2928 wrote to memory of 1432	2928	z7195821.exe	85
PID 2928 wrote to memory of 1432	2928	z7195821.exe	85
PID 1432 wrote to memory of 4828	1432	z9272765.exe	87
PID 1432 wrote to memory of 4828	1432	z9272765.exe	87
PID 1432 wrote to memory of 4828	1432	z9272765.exe	87
PID 4828 wrote to memory of 4484	4828	z0303318.exe	88
PID 4828 wrote to memory of 4484	4828	z0303318.exe	88
PID 4828 wrote to memory of 1600	4828	z0303318.exe	97
PID 4828 wrote to memory of 1600	4828	z0303318.exe	97
PID 4828 wrote to memory of 1600	4828	z0303318.exe	97
PID 1600 wrote to memory of 3592	1600	r3534172.exe	98
PID 1600 wrote to memory of 3592	1600	r3534172.exe	98
PID 1600 wrote to memory of 3592	1600	r3534172.exe	98
PID 1432 wrote to memory of 3092	1432	z9272765.exe	99
PID 1432 wrote to memory of 3092	1432	z9272765.exe	99
PID 1432 wrote to memory of 3092	1432	z9272765.exe	99
PID 3592 wrote to memory of 1892	3592	explonde.exe	100
PID 3592 wrote to memory of 1892	3592	explonde.exe	100
PID 3592 wrote to memory of 1892	3592	explonde.exe	100
PID 3592 wrote to memory of 5112	3592	explonde.exe	102
PID 3592 wrote to memory of 5112	3592	explonde.exe	102
PID 3592 wrote to memory of 5112	3592	explonde.exe	102
PID 5112 wrote to memory of 960	5112	cmd.exe	104
PID 5112 wrote to memory of 960	5112	cmd.exe	104
PID 5112 wrote to memory of 960	5112	cmd.exe	104
PID 5112 wrote to memory of 4804	5112	cmd.exe	105
PID 5112 wrote to memory of 4804	5112	cmd.exe	105
PID 5112 wrote to memory of 4804	5112	cmd.exe	105
PID 5112 wrote to memory of 1760	5112	cmd.exe	106
PID 5112 wrote to memory of 1760	5112	cmd.exe	106
PID 5112 wrote to memory of 1760	5112	cmd.exe	106
PID 5112 wrote to memory of 3988	5112	cmd.exe	107
PID 5112 wrote to memory of 3988	5112	cmd.exe	107
PID 5112 wrote to memory of 3988	5112	cmd.exe	107
PID 5112 wrote to memory of 4532	5112	cmd.exe	108
PID 5112 wrote to memory of 4532	5112	cmd.exe	108
PID 5112 wrote to memory of 4532	5112	cmd.exe	108
PID 5112 wrote to memory of 448	5112	cmd.exe	109
PID 5112 wrote to memory of 448	5112	cmd.exe	109
PID 5112 wrote to memory of 448	5112	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
"C:\Users\Admin\AppData\Local\Temp\b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        8⤵
        Creates scheduled task(s)
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        9⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        9⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        9⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        9⤵
        
        PID:448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe
        5⤵
        Executes dropped EXE
        
        PID:3092

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3668

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe

Filesize
739KB

MD5
1f1478a97885ee2786ea0dabfe4cd0f6

SHA1
ba07d4d4972718f40e7028b6ba5a3206cbec8f0a

SHA256
bb7fd4e73d69bd091eec4adcf7195b67c4967bf26a9f6e49d23cc1f8f1cb86ff

SHA512
d1850999c2342ed2353fb6eb0d590c085bee4892d51446c4db50b15df868ff0b90c6d5dfb259b4588aed51729bdfdc2fcc26957cd5ee56c66fc463fe06da78de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe

Filesize
573KB

MD5
3cef8d01010e36c8ec99cf64df9c99c5

SHA1
9f707037219996936d8eb6f3b83f24d0ddd10bf9

SHA256
aeb7cc95a992ac4900bc0425baed7d55a5cba9715b62a832a719d622cc626382

SHA512
4feb44bbe29309c4cbe8129fa8fc439afed3db7fcd7307afa4be4931e170ca2f895ffca043d43353f026413094a12981ee8928bed71acbb93583e53c015cf933

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe

Filesize
390KB

MD5
7560beb7322bd2692df3a03011caa912

SHA1
2dbc1f17d7b4235a8ece2bf86f641b3294aab8ec

SHA256
c9e9bef07fa4c791811556b72c9203cad57565f08289fde336f946c7e352d733

SHA512
d03372522b7193d76ea12d763554ba9d2d2cfbbff1fbbdea2fdf6fa85774b2e1242a1c5c0572618ee8c595cff5394fa884e214b5da9669a8622eb0219e6e68ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe

Filesize
175KB

MD5
b9223d0c0d016a1b71628bac899b8c85

SHA1
1fcf1ca92a29ab20d60dc32c87814307dea3030c

SHA256
f5d965417ff0d03022452485374cbf1383d9e363456379c1176ff875b77b6efe

SHA512
e6bb7297988b57275f3962dcd920c9242caa6feb0d9fcd9f720f407710be0e033d131491aaa7f8fa5ca9efb88d7d183b784c9004c3a961f25d4373c38e61f5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe

Filesize
234KB

MD5
5157199d2abd9f40948702814b18cdac

SHA1
c1d9db02998d50e0088b405b5a8c975bee7a1f07

SHA256
e2a8dd69ea92189cb06a62fdc7299a5d82bdbd44a6bb542adce3051123ff3e61

SHA512
03da39aececfccf87a09092db50a2187e76208fc47c95fc8cee420fec674aa0c9aa3cbd6ac0553d8bd2b004a77fdf519ee198a708f60914d7ccb05c5a98c5359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe

Filesize
11KB

MD5
5134903f08843187dc208206f5e99368

SHA1
66a6002cd55b2a568938c5e6d4bc0f3c7fd16055

SHA256
f844b8f8aaf79e351fd89933625e8d0cb139de2c25f30cccbb42eb75ed496615

SHA512
24fdb5c79b79cb39e7792dc8aa9368cbb23d881b391a19bcff185f5d44748f26a5c3ab7264dc5f387052512b2c897fb0a8c17f0a7867a3f6963ab6814d4a9599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe

Filesize
220KB

MD5
6ab82d832ff9bd75e6981da2371c51c2

SHA1
ba7cc8f447c7d0685ff59b6994413f02dfc0a588

SHA256
96dbe3d3af00eb9ff975f8240661f0e9d89fe00cf60e3cc35f52c43eaa12e795

SHA512
c51bf70c508e46a51425c44a89136752790e8cc5c0022e3f94d488d473fc75d17ab624a9be7eaa4734b0e3fe6f76b403e98a47b2f5aa14a3013f2edff40f8183

Download Submit
memory/3092-52-0x0000000000140000-0x0000000000170000-memory.dmp

Filesize
192KB

Download
memory/3092-53-0x0000000002430000-0x0000000002436000-memory.dmp

Filesize
24KB

Download
memory/3092-54-0x0000000005190000-0x00000000057A8000-memory.dmp

Filesize
6.1MB

Download
memory/3092-55-0x0000000004C80000-0x0000000004D8A000-memory.dmp

Filesize
1.0MB

Download
memory/3092-56-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/3092-57-0x0000000004A10000-0x0000000004A4C000-memory.dmp

Filesize
240KB

Download
memory/3092-58-0x0000000004B70000-0x0000000004BBC000-memory.dmp

Filesize
304KB

Download
memory/4484-35-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download