amadey | fb68898fc1ee1968d2f438649408cbb8854551c7efa6458a5175c462f02fda63

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exe
Size

809KB
MD5

0916237eabab44bdebdaaa534e5b0044
SHA1

0f91723a69badda61451fdad109d59c3ca65fd67
SHA256

d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b
SHA512

8d1aeb276067c925e6963d73f57f2b14d805bc94cdd1dcc36a4bd00412b4b6c83c3a63fc18ba0a715005a2e7e7016de3e9261e062e9ac31c7692226211b3f0e9
SSDEEP

12288:YMrWy90qF5sd2S/bMJHsA+43dFUwnHAjGqnos9rW3m47uO4H73IK1fC2rca2hzG:uyEoJMAD6vyqno5WZZ7YEC6R

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

g3030328.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g3030328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g3030328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g3030328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g3030328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g3030328.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g3030328.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3775501.exe	family_redline
behavioral19/memory/3656-75-0x0000000000990000-0x00000000009C0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

h2963045.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	h2963045.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

Processes:

x3112480.exex1104897.exex9546914.exeg3030328.exeh2963045.exesaves.exei3775501.exesaves.exesaves.exe

pid process

3336 x3112480.exe
3776 x1104897.exe
1252 x9546914.exe
2148 g3030328.exe
3024 h2963045.exe
1560 saves.exe
3656 i3775501.exe
2756 saves.exe
3940 saves.exe

pid	process
3336	x3112480.exe
3776	x1104897.exe
1252	x9546914.exe
2148	g3030328.exe
3024	h2963045.exe
1560	saves.exe
3656	i3775501.exe
2756	saves.exe
3940	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

g3030328.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g3030328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g3030328.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exex3112480.exex1104897.exex9546914.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3112480.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1104897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9546914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2648 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

g3030328.exe

pid process

2148 g3030328.exe
2148 g3030328.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

g3030328.exe

description pid process

Token: SeDebugPrivilege 2148 g3030328.exe

pid	process
2648	schtasks.exe

pid	process
2148	g3030328.exe
2148	g3030328.exe

description	pid	process
Token: SeDebugPrivilege	2148	g3030328.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exex3112480.exex1104897.exex9546914.exeh2963045.exesaves.execmd.exe

description	pid	process	target process
PID 1500 wrote to memory of 3336	1500	d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exe	x3112480.exe
PID 1500 wrote to memory of 3336	1500	d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exe	x3112480.exe
PID 1500 wrote to memory of 3336	1500	d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exe	x3112480.exe
PID 3336 wrote to memory of 3776	3336	x3112480.exe	x1104897.exe
PID 3336 wrote to memory of 3776	3336	x3112480.exe	x1104897.exe
PID 3336 wrote to memory of 3776	3336	x3112480.exe	x1104897.exe
PID 3776 wrote to memory of 1252	3776	x1104897.exe	x9546914.exe
PID 3776 wrote to memory of 1252	3776	x1104897.exe	x9546914.exe
PID 3776 wrote to memory of 1252	3776	x1104897.exe	x9546914.exe
PID 1252 wrote to memory of 2148	1252	x9546914.exe	g3030328.exe
PID 1252 wrote to memory of 2148	1252	x9546914.exe	g3030328.exe
PID 1252 wrote to memory of 2148	1252	x9546914.exe	g3030328.exe
PID 1252 wrote to memory of 3024	1252	x9546914.exe	h2963045.exe
PID 1252 wrote to memory of 3024	1252	x9546914.exe	h2963045.exe
PID 1252 wrote to memory of 3024	1252	x9546914.exe	h2963045.exe
PID 3024 wrote to memory of 1560	3024	h2963045.exe	saves.exe
PID 3024 wrote to memory of 1560	3024	h2963045.exe	saves.exe
PID 3024 wrote to memory of 1560	3024	h2963045.exe	saves.exe
PID 3776 wrote to memory of 3656	3776	x1104897.exe	i3775501.exe
PID 3776 wrote to memory of 3656	3776	x1104897.exe	i3775501.exe
PID 3776 wrote to memory of 3656	3776	x1104897.exe	i3775501.exe
PID 1560 wrote to memory of 2648	1560	saves.exe	schtasks.exe
PID 1560 wrote to memory of 2648	1560	saves.exe	schtasks.exe
PID 1560 wrote to memory of 2648	1560	saves.exe	schtasks.exe
PID 1560 wrote to memory of 4296	1560	saves.exe	cmd.exe
PID 1560 wrote to memory of 4296	1560	saves.exe	cmd.exe
PID 1560 wrote to memory of 4296	1560	saves.exe	cmd.exe
PID 4296 wrote to memory of 968	4296	cmd.exe	cmd.exe
PID 4296 wrote to memory of 968	4296	cmd.exe	cmd.exe
PID 4296 wrote to memory of 968	4296	cmd.exe	cmd.exe
PID 4296 wrote to memory of 4568	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4568	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4568	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4692	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4692	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4692	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4648	4296	cmd.exe	cmd.exe
PID 4296 wrote to memory of 4648	4296	cmd.exe	cmd.exe
PID 4296 wrote to memory of 4648	4296	cmd.exe	cmd.exe
PID 4296 wrote to memory of 4580	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4580	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4580	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4656	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4656	4296	cmd.exe	cacls.exe
PID 4296 wrote to memory of 4656	4296	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exe
"C:\Users\Admin\AppData\Local\Temp\d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3112480.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3112480.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1104897.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1104897.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9546914.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9546914.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3030328.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3030328.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2963045.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2963045.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
7⤵
- Creates scheduled task(s)
PID:2648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:968

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
8⤵
PID:4568

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
8⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4648

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
8⤵
PID:4580

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
8⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3775501.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3775501.exe
4⤵
- Executes dropped EXE
PID:3656

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3112480.exe
Filesize
705KB

MD5
ce334bfe67089adbe1456b04d8432b7c

SHA1
026939cff1241237c2490c8e88b7d171ef1c3898

SHA256
2a887fe8c19459033870c3deda485e8b562b122a72bd0ed7fde88df72e6d2697

SHA512
f22fb64730613f035e1b60358423e80c75e19bcb67112abc00a8da6381b85161c980c0809f483b29dcefef9ff963a4318d2a2c910ce6d5b83de31eeb40e22b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1104897.exe
Filesize
540KB

MD5
eea5393b43db64aa472928b6f894677b

SHA1
4923891e15f6c972fdadcb6fbc4066e08fa13a7d

SHA256
85b8d1727e9fdbb01109cb8de016cd01890fea644f95eecdf519136a01f31f10

SHA512
e1957d10dec98b05a1b09f42036b1d772c0d96f923ae3b671e6368878b7a9ec898074836985b14a01e71889dbd8b9172070df1779ce6b472e45750a38aea6878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3775501.exe
Filesize
174KB

MD5
5acae2ce56f3932ab54a37a7d28806b9

SHA1
ca1c33e7a7d896f9527c46fde174d889ada856f9

SHA256
77a895c55d0691017b71277d67204606d95c1b0a3bd0b122ba2bc09827c3964b

SHA512
35f48e4c8bb3491401aac82b6c882d8fd8731cf6b28d88158dc8b3554f2438268b69b9b9c55bef6e4616f4c4afed23c705109ec5ac253c9fe7798b7a37cb6ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9546914.exe
Filesize
384KB

MD5
39a8277774335a002eaf59f18544a637

SHA1
ebc9f1f5a50897bb8a5f47cad7a503d236855faf

SHA256
6ff7f17d0bba79a4f0510a92e51e4decee36b45b536f85a7bee108921b3f46c7

SHA512
ecb5e0504af05fb6e4f7b50b49c3df701322ee570725e03ce8fdfa2a5aad994388c35eb7b24f271f72fc618285ba8c3e9fa69d0d9c4a505b3d16b4a653041f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3030328.exe
Filesize
185KB

MD5
cf35ad87c60380a84ee0fc449d81db6b

SHA1
2ce5ca565c2e9260fdebd5db122e2c111a651985

SHA256
3d1a1da29e64defd5d971887830a4e5f802b29aab490b09e3cad26f0f057e2ce

SHA512
c19a4062a6b96fbbcd8ceed56ebe4f0b5b107749491df197441a0faf0250afd6128c73fe1d22e834b565b085c7fa94dc4130c36b1eadc9810faa7e2be8e80e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2963045.exe
Filesize
336KB

MD5
f1582d06555940882b468289eb57a4ca

SHA1
b6f628462b7988a57bf904b5d96f2d29d825e1ed

SHA256
29aed2d5971c9e8ea1e742ff6d103f4b641d5681b1f2361a6aabf18e6e38b196

SHA512
cae0cc3b15961bd7e6ef4495181866f334f215659843c3d332477e22ecbb2281207f80ff68cf4b35b60868de6cd3cfd9d702816b7c91953962d4baf1726f45b0

Download Submit
memory/2148-46-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-31-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-40-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-58-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-54-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-52-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-50-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-48-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-30-0x0000000002470000-0x000000000248C000-memory.dmp

Filesize
112KB

Download
memory/2148-44-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-42-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-34-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-32-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-36-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-56-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-38-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/2148-29-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/2148-28-0x0000000002170000-0x000000000218E000-memory.dmp

Filesize
120KB

Download
memory/3656-75-0x0000000000990000-0x00000000009C0000-memory.dmp

Filesize
192KB

Download
memory/3656-76-0x0000000002AE0000-0x0000000002AE6000-memory.dmp

Filesize
24KB

Download
memory/3656-77-0x0000000005950000-0x0000000005F68000-memory.dmp

Filesize
6.1MB

Download
memory/3656-78-0x0000000005440000-0x000000000554A000-memory.dmp

Filesize
1.0MB

Download
memory/3656-79-0x0000000005200000-0x0000000005212000-memory.dmp

Filesize
72KB

Download
memory/3656-80-0x0000000005370000-0x00000000053AC000-memory.dmp

Filesize
240KB

Download
memory/3656-81-0x00000000053C0000-0x000000000540C000-memory.dmp

Filesize
304KB

Download