amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe
Size

812KB
MD5

f5f40df358fb020b709a87b5ed4ec4d3
SHA1

7a1412af73b32c7c9a61007863b57f50570645b2
SHA256

c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435
SHA512

f45fd35998f15a6204494bb8e99391571f35e6e4867e56bf78a818062c75942eea2a63cf93df732f7ed0d6eaf79d49e4a165b1b6ad62df994550e57a1125d3ba
SSDEEP

12288:AMrsy90fafIyG5ojpCh/IL7ElM0kHP5/rmMsj+IgMcFLzZp1/9mOh8++OM:cyMojpCh/+7C4xrmMi+I4Fpr/kOh8D3

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

g8871577.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g8871577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g8871577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g8871577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g8871577.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g8871577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g8871577.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5613002.exe	family_redline
behavioral14/memory/2404-75-0x0000000000220000-0x0000000000250000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

h4096492.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	h4096492.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 10 IoCs

Processes:

x1387297.exex2122202.exex8979577.exeg8871577.exeh4096492.exesaves.exei5613002.exesaves.exesaves.exesaves.exe

pid	process
2684	x1387297.exe
5200	x2122202.exe
1372	x8979577.exe
4212	g8871577.exe
5400	h4096492.exe
3400	saves.exe
2404	i5613002.exe
1692	saves.exe
1048	saves.exe
4520	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

g8871577.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g8871577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g8871577.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exex1387297.exex2122202.exex8979577.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1387297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2122202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8979577.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3280 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

g8871577.exe

pid process

4212 g8871577.exe
4212 g8871577.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

g8871577.exe

description pid process

Token: SeDebugPrivilege 4212 g8871577.exe

pid	process
3280	schtasks.exe

pid	process
4212	g8871577.exe
4212	g8871577.exe

description	pid	process
Token: SeDebugPrivilege	4212	g8871577.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exex1387297.exex2122202.exex8979577.exeh4096492.exesaves.execmd.exe

description	pid	process	target process
PID 4444 wrote to memory of 2684	4444	c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe	x1387297.exe
PID 4444 wrote to memory of 2684	4444	c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe	x1387297.exe
PID 4444 wrote to memory of 2684	4444	c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe	x1387297.exe
PID 2684 wrote to memory of 5200	2684	x1387297.exe	x2122202.exe
PID 2684 wrote to memory of 5200	2684	x1387297.exe	x2122202.exe
PID 2684 wrote to memory of 5200	2684	x1387297.exe	x2122202.exe
PID 5200 wrote to memory of 1372	5200	x2122202.exe	x8979577.exe
PID 5200 wrote to memory of 1372	5200	x2122202.exe	x8979577.exe
PID 5200 wrote to memory of 1372	5200	x2122202.exe	x8979577.exe
PID 1372 wrote to memory of 4212	1372	x8979577.exe	g8871577.exe
PID 1372 wrote to memory of 4212	1372	x8979577.exe	g8871577.exe
PID 1372 wrote to memory of 4212	1372	x8979577.exe	g8871577.exe
PID 1372 wrote to memory of 5400	1372	x8979577.exe	h4096492.exe
PID 1372 wrote to memory of 5400	1372	x8979577.exe	h4096492.exe
PID 1372 wrote to memory of 5400	1372	x8979577.exe	h4096492.exe
PID 5400 wrote to memory of 3400	5400	h4096492.exe	saves.exe
PID 5400 wrote to memory of 3400	5400	h4096492.exe	saves.exe
PID 5400 wrote to memory of 3400	5400	h4096492.exe	saves.exe
PID 5200 wrote to memory of 2404	5200	x2122202.exe	i5613002.exe
PID 5200 wrote to memory of 2404	5200	x2122202.exe	i5613002.exe
PID 5200 wrote to memory of 2404	5200	x2122202.exe	i5613002.exe
PID 3400 wrote to memory of 3280	3400	saves.exe	schtasks.exe
PID 3400 wrote to memory of 3280	3400	saves.exe	schtasks.exe
PID 3400 wrote to memory of 3280	3400	saves.exe	schtasks.exe
PID 3400 wrote to memory of 1444	3400	saves.exe	cmd.exe
PID 3400 wrote to memory of 1444	3400	saves.exe	cmd.exe
PID 3400 wrote to memory of 1444	3400	saves.exe	cmd.exe
PID 1444 wrote to memory of 3404	1444	cmd.exe	cmd.exe
PID 1444 wrote to memory of 3404	1444	cmd.exe	cmd.exe
PID 1444 wrote to memory of 3404	1444	cmd.exe	cmd.exe
PID 1444 wrote to memory of 3460	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 3460	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 3460	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 4380	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 4380	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 4380	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 4676	1444	cmd.exe	cmd.exe
PID 1444 wrote to memory of 4676	1444	cmd.exe	cmd.exe
PID 1444 wrote to memory of 4676	1444	cmd.exe	cmd.exe
PID 1444 wrote to memory of 720	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 720	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 720	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 2304	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 2304	1444	cmd.exe	cacls.exe
PID 1444 wrote to memory of 2304	1444	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe
"C:\Users\Admin\AppData\Local\Temp\c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1387297.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1387297.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2122202.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2122202.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5200

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8979577.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8979577.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8871577.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8871577.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4096492.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4096492.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5400

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
7⤵
- Creates scheduled task(s)
PID:3280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:3404

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
8⤵
PID:3460

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
8⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4676

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
8⤵
PID:720

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
8⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5613002.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5613002.exe
4⤵
- Executes dropped EXE
PID:2404

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1387297.exe
Filesize
706KB

MD5
522fdd513a2e5654aaa1a86d8e877b19

SHA1
b36b076c3e4bea5f683ed6fd65e0f56f59fd4703

SHA256
fab11a184d850740e499a941bbd192c2ae7a487a63a67ea2f0a7c0a45aef14fa

SHA512
174fd0cc19fcb878a7035aece12c2e9ddaef1a0137ad601b73bad309a98db421543e86f1bb6f581e515605582c75c0b7b8fa6c02df629bc184b7db137627c612

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2122202.exe
Filesize
540KB

MD5
1a745ab8cfd599fc9c392009aacafbaa

SHA1
9f522b3692ba9e2c5833a1c5e5f45c198692c4b8

SHA256
f24e88d400df87994bf16d3edc7036915254a98ac02cdb85d7a7daf8338f8075

SHA512
28d810a014daad02f78d71706f3cf9c74ae1945f98636e31f3752c16a11df0f92171208e42c44de5a6c082e56699f9f01a7c733e9c511e521af7c6445894b21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5613002.exe
Filesize
173KB

MD5
7864b1aff2c27dd1452aa65fa83b545a

SHA1
ebb0d7fe16ffdd7dc3c90ee61f42120d8479b9a1

SHA256
54ad7fb552b2eac93cd95105cf40c2a1b1a219733c536c11ba93ea8d8dee8985

SHA512
cc573f625b4bf617287ea94d1ee686dbe243589107c9803b72c4f38469692bd4481277bdcca08987be0c14c705ac08e5f2e58b4c4b0832957b32b9e71a4d6525

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8979577.exe
Filesize
384KB

MD5
ea910a7ec0183340f8856c5895f0e75e

SHA1
6ab28ea7b498b01c81b0ddaf623aa44c4324ae5b

SHA256
81d51185b167aca1b95751beab6f801780af97c16ed63046b5011dbcfd51267e

SHA512
ce64f7d346ee014e005cf07dead2d2252fac07204579031215e5ba4fa09a93cd55fab5fc9feb502a2cbfa6b7fb3c32b0da77b136e513de342636af7c8ecc2f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8871577.exe
Filesize
185KB

MD5
9ac79fd58e2092e7d6d33c9798339513

SHA1
98023b23d8675ae3f8f09ead186d86b04e49f03d

SHA256
b76bbfc7392e271c95f11f70e4d21d0a15a03458f6828e88257a037f5b6ea66c

SHA512
ed99e76bd60a67fa6db1f91a7cb3ae6883fb23e48da47c4ed09b1b7067a87be7043a3a59671e5302ec37ce22d6e7c394deb799afe93bc79fe85016969575cc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4096492.exe
Filesize
335KB

MD5
d25095eecf2b86ee32bec8020907f858

SHA1
b07bf66a028e6c769e314ac6e06a12f62aa30e12

SHA256
7411f1a815a2b183c3759a3282b05c17f23324cb320a1190719c5ca136329d19

SHA512
61725e00b4fc3a0158b3228ce48933b33a13e122ae418bc30dfbc6a99b522978cafc3cb7e4a5e1899780abbba0b720eaaff50bf7790d224d100b2660253e0127

Download Submit
memory/2404-79-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/2404-78-0x0000000004CE0000-0x0000000004DEA000-memory.dmp

Filesize
1.0MB

Download
memory/2404-77-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/2404-76-0x0000000002480000-0x0000000002486000-memory.dmp

Filesize
24KB

Download
memory/2404-75-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2404-80-0x0000000004C10000-0x0000000004C4C000-memory.dmp

Filesize
240KB

Download
memory/2404-81-0x0000000004C50000-0x0000000004C9C000-memory.dmp

Filesize
304KB

Download
memory/4212-40-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-50-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-38-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-36-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-32-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-46-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-44-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-34-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-31-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-42-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-52-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-54-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-56-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-58-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-48-0x00000000049B0000-0x00000000049C6000-memory.dmp

Filesize
88KB

Download
memory/4212-30-0x00000000049B0000-0x00000000049CC000-memory.dmp

Filesize
112KB

Download
memory/4212-29-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/4212-28-0x00000000020B0000-0x00000000020CE000-memory.dmp

Filesize
120KB

Download