Overview

overview

10

Static

static

3

0805913f50...13.exe

windows10-2004-x64

10

11eba51293...3a.exe

windows10-2004-x64

10

17a0568b20...3a.exe

windows10-2004-x64

10

346c46bc82...26.exe

windows10-2004-x64

10

4867af9d5d...1f.exe

windows10-2004-x64

10

5f2f269e1f...9a.exe

windows10-2004-x64

10

64e73ef21d...a1.exe

windows10-2004-x64

10

7c556f6f80...61.exe

windows10-2004-x64

10

8c970cc94c...d3.exe

windows10-2004-x64

10

9296923f57...24.exe

windows10-2004-x64

10

ae96a881fd...69.exe

windows10-2004-x64

10

b150b2b6ed...d5.exe

windows10-2004-x64

10

c1b0ce286b...51.exe

windows10-2004-x64

10

c1d1b117a2...35.exe

windows10-2004-x64

10

d876400b35...04.exe

windows10-2004-x64

10

eb3bd6af82...52.exe

windows10-2004-x64

10

eb7c2e9dc2...28.exe

windows10-2004-x64

10

ed2eb0d5dc...bf.exe

windows10-2004-x64

10

fc2a396813...13.exe

windows10-2004-x64

10

fd4ce916b7...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe

  • Size

    845KB

  • MD5

    48567c75c4c768747990b660f8c98486

  • SHA1

    c5d74fb54ab54eb6097414ab1a4c3f80481dfdbc

  • SHA256

    b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5

  • SHA512

    352575ff5f4c3d71905472f5fa1821bd89c0a74f2f66eec4a8529a05ff8155e24fb095fff87c9b425a855f94bd2e29178faa2a8b1bbf4d45c5dce2601f147cb2

  • SSDEEP

    24576:wyTGPDzqeWDz0usMLfZU1nloJ6e6uVQgEb:3SP/9+z0usCq1nmLFE

Score
10/10
amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
    "C:\Users\Admin\AppData\Local\Temp\b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4788
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1476
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4568
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4480
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
                  8⤵
                  • Creates scheduled task(s)
                  PID:2788
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2324
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    9⤵
                      PID:1580
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "explonde.exe" /P "Admin:N"
                      9⤵
                        PID:4364
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "explonde.exe" /P "Admin:R" /E
                        9⤵
                          PID:3160
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          9⤵
                            PID:1772
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\fefffe8cea" /P "Admin:N"
                            9⤵
                              PID:2660
                            • C:\Windows\SysWOW64\cacls.exe
                              CACLS "..\fefffe8cea" /P "Admin:R" /E
                              9⤵
                                PID:2204
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe
                        5⤵
                        • Executes dropped EXE
                        PID:3400
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:3752
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:3836

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0767174.exe
                Filesize

                739KB

                MD5

                1f1478a97885ee2786ea0dabfe4cd0f6

                SHA1

                ba07d4d4972718f40e7028b6ba5a3206cbec8f0a

                SHA256

                bb7fd4e73d69bd091eec4adcf7195b67c4967bf26a9f6e49d23cc1f8f1cb86ff

                SHA512

                d1850999c2342ed2353fb6eb0d590c085bee4892d51446c4db50b15df868ff0b90c6d5dfb259b4588aed51729bdfdc2fcc26957cd5ee56c66fc463fe06da78de

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7195821.exe
                Filesize

                573KB

                MD5

                3cef8d01010e36c8ec99cf64df9c99c5

                SHA1

                9f707037219996936d8eb6f3b83f24d0ddd10bf9

                SHA256

                aeb7cc95a992ac4900bc0425baed7d55a5cba9715b62a832a719d622cc626382

                SHA512

                4feb44bbe29309c4cbe8129fa8fc439afed3db7fcd7307afa4be4931e170ca2f895ffca043d43353f026413094a12981ee8928bed71acbb93583e53c015cf933

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9272765.exe
                Filesize

                390KB

                MD5

                7560beb7322bd2692df3a03011caa912

                SHA1

                2dbc1f17d7b4235a8ece2bf86f641b3294aab8ec

                SHA256

                c9e9bef07fa4c791811556b72c9203cad57565f08289fde336f946c7e352d733

                SHA512

                d03372522b7193d76ea12d763554ba9d2d2cfbbff1fbbdea2fdf6fa85774b2e1242a1c5c0572618ee8c595cff5394fa884e214b5da9669a8622eb0219e6e68ca

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5081066.exe
                Filesize

                175KB

                MD5

                b9223d0c0d016a1b71628bac899b8c85

                SHA1

                1fcf1ca92a29ab20d60dc32c87814307dea3030c

                SHA256

                f5d965417ff0d03022452485374cbf1383d9e363456379c1176ff875b77b6efe

                SHA512

                e6bb7297988b57275f3962dcd920c9242caa6feb0d9fcd9f720f407710be0e033d131491aaa7f8fa5ca9efb88d7d183b784c9004c3a961f25d4373c38e61f5f1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0303318.exe
                Filesize

                234KB

                MD5

                5157199d2abd9f40948702814b18cdac

                SHA1

                c1d9db02998d50e0088b405b5a8c975bee7a1f07

                SHA256

                e2a8dd69ea92189cb06a62fdc7299a5d82bdbd44a6bb542adce3051123ff3e61

                SHA512

                03da39aececfccf87a09092db50a2187e76208fc47c95fc8cee420fec674aa0c9aa3cbd6ac0553d8bd2b004a77fdf519ee198a708f60914d7ccb05c5a98c5359

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6317664.exe
                Filesize

                11KB

                MD5

                5134903f08843187dc208206f5e99368

                SHA1

                66a6002cd55b2a568938c5e6d4bc0f3c7fd16055

                SHA256

                f844b8f8aaf79e351fd89933625e8d0cb139de2c25f30cccbb42eb75ed496615

                SHA512

                24fdb5c79b79cb39e7792dc8aa9368cbb23d881b391a19bcff185f5d44748f26a5c3ab7264dc5f387052512b2c897fb0a8c17f0a7867a3f6963ab6814d4a9599

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3534172.exe
                Filesize

                220KB

                MD5

                6ab82d832ff9bd75e6981da2371c51c2

                SHA1

                ba7cc8f447c7d0685ff59b6994413f02dfc0a588

                SHA256

                96dbe3d3af00eb9ff975f8240661f0e9d89fe00cf60e3cc35f52c43eaa12e795

                SHA512

                c51bf70c508e46a51425c44a89136752790e8cc5c0022e3f94d488d473fc75d17ab624a9be7eaa4734b0e3fe6f76b403e98a47b2f5aa14a3013f2edff40f8183

                Download Submit

              • memory/1476-35-0x00000000001E0000-0x00000000001EA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3400-52-0x0000000000AD0000-0x0000000000B00000-memory.dmp

                Filesize

                192KB

                Download

              • memory/3400-53-0x0000000001380000-0x0000000001386000-memory.dmp

                Filesize

                24KB

                Download

              • memory/3400-54-0x0000000005B90000-0x00000000061A8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3400-56-0x0000000005590000-0x00000000055A2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3400-55-0x0000000005680000-0x000000000578A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/3400-57-0x00000000055F0000-0x000000000562C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/3400-58-0x0000000005790000-0x00000000057DC000-memory.dmp

                Filesize

                304KB

                Download