amadey | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe
Size

830KB
MD5

9c50d39c6ed47f89d58009df0a2a3e4c
SHA1

5756a2f2448ce80c83e10962619e5cd416f8ee88
SHA256

bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b
SHA512

9d1dc06eb982fee68c190f60e61da71cf55f65394403f06ff063cf6c3b05221c8fda2c6b1fe956fa85ae9ed491c5d6d6d7095f9d1f30d5132d3e5a089a9a0c9b
SSDEEP

24576:QyeH4/JFWyn+4lOHy6XJAcR1OX8e2a5QN5g87xE:X7TWkOS6XJrU3

Score

10^/10

amadey healer redline 59b440 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral15/files/0x0008000000023426-34.dat	healer
behavioral15/memory/1836-35-0x00000000000D0000-0x00000000000DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9336339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9336339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9336339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9336339.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9336339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9336339.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral15/files/0x0007000000023424-50.dat	family_redline
behavioral15/memory/2440-52-0x0000000000560000-0x0000000000590000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	b5408226.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 11 IoCs

pid	Process
3500	v6889920.exe
4792	v6066256.exe
4504	v7938826.exe
1868	v8387208.exe
1836	a9336339.exe
1928	b5408226.exe
1500	saves.exe
2440	c6132976.exe
1520	saves.exe
1372	saves.exe
3080	saves.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9336339.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8387208.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6889920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6066256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7938826.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1836	a9336339.exe
1836	a9336339.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	a9336339.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3500	1916	bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe	84
PID 1916 wrote to memory of 3500	1916	bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe	84
PID 1916 wrote to memory of 3500	1916	bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe	84
PID 3500 wrote to memory of 4792	3500	v6889920.exe	85
PID 3500 wrote to memory of 4792	3500	v6889920.exe	85
PID 3500 wrote to memory of 4792	3500	v6889920.exe	85
PID 4792 wrote to memory of 4504	4792	v6066256.exe	86
PID 4792 wrote to memory of 4504	4792	v6066256.exe	86
PID 4792 wrote to memory of 4504	4792	v6066256.exe	86
PID 4504 wrote to memory of 1868	4504	v7938826.exe	87
PID 4504 wrote to memory of 1868	4504	v7938826.exe	87
PID 4504 wrote to memory of 1868	4504	v7938826.exe	87
PID 1868 wrote to memory of 1836	1868	v8387208.exe	88
PID 1868 wrote to memory of 1836	1868	v8387208.exe	88
PID 1868 wrote to memory of 1928	1868	v8387208.exe	97
PID 1868 wrote to memory of 1928	1868	v8387208.exe	97
PID 1868 wrote to memory of 1928	1868	v8387208.exe	97
PID 1928 wrote to memory of 1500	1928	b5408226.exe	98
PID 1928 wrote to memory of 1500	1928	b5408226.exe	98
PID 1928 wrote to memory of 1500	1928	b5408226.exe	98
PID 4504 wrote to memory of 2440	4504	v7938826.exe	99
PID 4504 wrote to memory of 2440	4504	v7938826.exe	99
PID 4504 wrote to memory of 2440	4504	v7938826.exe	99
PID 1500 wrote to memory of 736	1500	saves.exe	100
PID 1500 wrote to memory of 736	1500	saves.exe	100
PID 1500 wrote to memory of 736	1500	saves.exe	100
PID 1500 wrote to memory of 1624	1500	saves.exe	102
PID 1500 wrote to memory of 1624	1500	saves.exe	102
PID 1500 wrote to memory of 1624	1500	saves.exe	102
PID 1624 wrote to memory of 1856	1624	cmd.exe	104
PID 1624 wrote to memory of 1856	1624	cmd.exe	104
PID 1624 wrote to memory of 1856	1624	cmd.exe	104
PID 1624 wrote to memory of 452	1624	cmd.exe	105
PID 1624 wrote to memory of 452	1624	cmd.exe	105
PID 1624 wrote to memory of 452	1624	cmd.exe	105
PID 1624 wrote to memory of 2896	1624	cmd.exe	106
PID 1624 wrote to memory of 2896	1624	cmd.exe	106
PID 1624 wrote to memory of 2896	1624	cmd.exe	106
PID 1624 wrote to memory of 544	1624	cmd.exe	107
PID 1624 wrote to memory of 544	1624	cmd.exe	107
PID 1624 wrote to memory of 544	1624	cmd.exe	107
PID 1624 wrote to memory of 4984	1624	cmd.exe	108
PID 1624 wrote to memory of 4984	1624	cmd.exe	108
PID 1624 wrote to memory of 4984	1624	cmd.exe	108
PID 1624 wrote to memory of 4860	1624	cmd.exe	109
PID 1624 wrote to memory of 4860	1624	cmd.exe	109
PID 1624 wrote to memory of 4860	1624	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe
"C:\Users\Admin\AppData\Local\Temp\bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6889920.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6889920.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6066256.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6066256.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7938826.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7938826.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8387208.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8387208.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9336339.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9336339.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5408226.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5408226.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        8⤵
        Creates scheduled task(s)
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        9⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        9⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        9⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        9⤵
        
        PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6132976.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6132976.exe
        5⤵
        Executes dropped EXE
        
        PID:2440

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6889920.exe

Filesize
724KB

MD5
35e33c83ed7b694734ba374bfcc91139

SHA1
50dad8b5d82597e0376e975d716f397f6a2bef76

SHA256
0040963d0dc841620440765e9f18da93f7a31ed501dc77a53fa30393325e3337

SHA512
d74a305f4972db66d78d7942367f7d834c1db0169e0275b7f9607e0d8c2093705901f8a5c60ef4a79e3d850421184ea119cc001aefffc4c6ab5b2280496b1b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6066256.exe

Filesize
599KB

MD5
2c3d1ddcf27a8dd4cfad86b6f0818337

SHA1
8b8500a7183cab1e068e55e959d0a0bacdd9a211

SHA256
f113ff189d60eeb8ae4f348ded203c5e0d155db81c78068610891147ed2ee14e

SHA512
20822f35f4345cc6bb08d90a913b5a653b49b90a332c449f2eb91cec72accca74f21fa595ea8d815897b3810a298cd02bdb9b34970c902d64fe742d359159eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7938826.exe

Filesize
433KB

MD5
4dccdafe94330efcc13ebf206cbc21f0

SHA1
d6c733dfcad94fc729a4f15f4cfe08b6db58b4b5

SHA256
1260de1428d92cfc55e24810a4389bb042fa0714dc6069138198f5edff4a7dd7

SHA512
b6ee48a808be23f085548d569f294b37f501b404eb3422286341870dbf0a6e5c35224d82fda959231c26d610080e69b4bf24d6d35010c846904e57635ff24a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6132976.exe

Filesize
175KB

MD5
18d09c1a2ede8664f76d8d9105e15306

SHA1
73711128ba7e69af39c79553e514eb131fe35621

SHA256
9c5bef9bf48cd5299a601a9af4898904cf351ab17a15537d606d45ec60be5c83

SHA512
649b380ebacc04308753a2a4609c98053d28afd043221ef07e6c2b1b1f2e618dd730dc0ea2a7bf3c6b65ea2ccd1d9e6747c76bdb3795540092f12dbb3c94a780

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8387208.exe

Filesize
277KB

MD5
c6acf486e432ac67ebdec562d33b3fa3

SHA1
b9de43085c501efa2f90dd9e53bbb8dfdcfce47d

SHA256
13485081c3de14dad1245eec42083625643fa5a3b2c17c902d20ba5dc156190e

SHA512
9dd053d5dcacdef15f54e751da979de016853eee1b224df87ef62a3b717f129126dd3610a3d8cef674f592652d3599217f0d791deed2450a7413c7b99cc80cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9336339.exe

Filesize
11KB

MD5
7db5b6dd818c70bf7d89e4a4d0c348f0

SHA1
4ba2627cbad98cc3f34cd1b6fc90e239b7dcb037

SHA256
b3a9ed94c66fdaf0259747f05e0abb1a22f010517e762ce713cb0efee0c6bd16

SHA512
dba6be30ea75817849a314a8b5f4c9ee5bf8e3d772592b72f7fded090e242ef4e4658699fee33de3735e232dc5520d0752092024b1f5a412b5bb151edc21f40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5408226.exe

Filesize
339KB

MD5
335eded0b9ee641b5df45eef0d59b6df

SHA1
6e895ed6adaadc8708d6b09c5988d1939a072cd4

SHA256
7403620cb32004991e3a1a53616d4f828cfc776d8238337a86d8ca3bcaeefeaf

SHA512
78e20a3758b8b08732e61fd4a63a29003f5075d390dc915c06079b9ac99086a76940fdd3cb64856f6cd967a1b89a81d363d110494629fe56e64823e11d8c4e50

Download Submit
memory/1836-35-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/2440-52-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/2440-53-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download
memory/2440-54-0x000000000A8A0000-0x000000000AEB8000-memory.dmp

Filesize
6.1MB

Download
memory/2440-55-0x000000000A3D0000-0x000000000A4DA000-memory.dmp

Filesize
1.0MB

Download
memory/2440-56-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/2440-57-0x000000000A360000-0x000000000A39C000-memory.dmp

Filesize
240KB

Download
memory/2440-58-0x00000000028B0000-0x00000000028FC000-memory.dmp

Filesize
304KB

Download