amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe
Size

812KB
MD5

c32af393533d7be2f96748156338d33c
SHA1

a58be11608b6f27970a62122c7bb6d4e8536a02a
SHA256

d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404
SHA512

9e1f47b3c20f4fa0b0e97758ef702aad9781756266c7c6c8916e189ca00cc477e641524fb84a61b50604adc0e5f231d7a7ca069576dd27631ce1fd58ce2146d0
SSDEEP

24576:Uy72IKmbWYfa3qnoWU0+AhWPlWLZJoXi3Om:jyHmb5i3qAn/PcLZJoXG

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g1682404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g1682404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g1682404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g1682404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g1682404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g1682404.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral15/files/0x00070000000233fe-73.dat	family_redline
behavioral15/memory/220-75-0x0000000000EC0000-0x0000000000EF0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	h9458880.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

pid	Process
3680	x7806108.exe
3452	x3476617.exe
4592	x1857428.exe
3564	g1682404.exe
792	h9458880.exe
3968	saves.exe
220	i8933028.exe
2260	saves.exe
4492	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g1682404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g1682404.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7806108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3476617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1857428.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3564	g1682404.exe
3564	g1682404.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	g1682404.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3680	2740	d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe	81
PID 2740 wrote to memory of 3680	2740	d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe	81
PID 2740 wrote to memory of 3680	2740	d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe	81
PID 3680 wrote to memory of 3452	3680	x7806108.exe	82
PID 3680 wrote to memory of 3452	3680	x7806108.exe	82
PID 3680 wrote to memory of 3452	3680	x7806108.exe	82
PID 3452 wrote to memory of 4592	3452	x3476617.exe	83
PID 3452 wrote to memory of 4592	3452	x3476617.exe	83
PID 3452 wrote to memory of 4592	3452	x3476617.exe	83
PID 4592 wrote to memory of 3564	4592	x1857428.exe	84
PID 4592 wrote to memory of 3564	4592	x1857428.exe	84
PID 4592 wrote to memory of 3564	4592	x1857428.exe	84
PID 4592 wrote to memory of 792	4592	x1857428.exe	89
PID 4592 wrote to memory of 792	4592	x1857428.exe	89
PID 4592 wrote to memory of 792	4592	x1857428.exe	89
PID 792 wrote to memory of 3968	792	h9458880.exe	90
PID 792 wrote to memory of 3968	792	h9458880.exe	90
PID 792 wrote to memory of 3968	792	h9458880.exe	90
PID 3452 wrote to memory of 220	3452	x3476617.exe	91
PID 3452 wrote to memory of 220	3452	x3476617.exe	91
PID 3452 wrote to memory of 220	3452	x3476617.exe	91
PID 3968 wrote to memory of 4956	3968	saves.exe	92
PID 3968 wrote to memory of 4956	3968	saves.exe	92
PID 3968 wrote to memory of 4956	3968	saves.exe	92
PID 3968 wrote to memory of 400	3968	saves.exe	94
PID 3968 wrote to memory of 400	3968	saves.exe	94
PID 3968 wrote to memory of 400	3968	saves.exe	94
PID 400 wrote to memory of 4564	400	cmd.exe	96
PID 400 wrote to memory of 4564	400	cmd.exe	96
PID 400 wrote to memory of 4564	400	cmd.exe	96
PID 400 wrote to memory of 3396	400	cmd.exe	97
PID 400 wrote to memory of 3396	400	cmd.exe	97
PID 400 wrote to memory of 3396	400	cmd.exe	97
PID 400 wrote to memory of 548	400	cmd.exe	98
PID 400 wrote to memory of 548	400	cmd.exe	98
PID 400 wrote to memory of 548	400	cmd.exe	98
PID 400 wrote to memory of 4188	400	cmd.exe	99
PID 400 wrote to memory of 4188	400	cmd.exe	99
PID 400 wrote to memory of 4188	400	cmd.exe	99
PID 400 wrote to memory of 3756	400	cmd.exe	100
PID 400 wrote to memory of 3756	400	cmd.exe	100
PID 400 wrote to memory of 3756	400	cmd.exe	100
PID 400 wrote to memory of 3340	400	cmd.exe	101
PID 400 wrote to memory of 3340	400	cmd.exe	101
PID 400 wrote to memory of 3340	400	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe
"C:\Users\Admin\AppData\Local\Temp\d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7806108.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7806108.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3476617.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3476617.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1857428.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1857428.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1682404.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1682404.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9458880.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9458880.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:792
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8933028.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8933028.exe
      4⤵
      Executes dropped EXE
      PID:220

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7806108.exe

Filesize
706KB

MD5
ad99f9b3ff89072c3bd9c2074e6aebcb

SHA1
d599efc4992731b1184683e3ee617f001d352cab

SHA256
d0c127a4a6921e31b28fafc3da002df40552c15457a9caa206b5d4d7898918e7

SHA512
402a321a421621ff8648b466456d6f96d1616c39edfdf076ccbdbb33715a42baeed2b024d30d64809432a8db738eb3531d7a78e0745f12311eb356ec737d84ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3476617.exe

Filesize
540KB

MD5
435bfa29df1de1ef38ae405075b8828d

SHA1
2d2ab95899689881c9afb9d7d657071e90ed305a

SHA256
faae692feeb7dff318d310cdc01ca11d025fa95a59f09d52e2a38b39f5ea400d

SHA512
8a634d7f8f511cdd8186dcc2418b209ae6f26fcc219fb505873d5fd0542bca3367b507c515b80c5fc43fa9e07f99c5bdd972fa2ba5b1f4347d113206dbb4b1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8933028.exe

Filesize
174KB

MD5
48a600871b4d54a883e6e37fa0a5c49c

SHA1
b2e2c68ec120720c25bc39af22a91b89ff11d550

SHA256
c9f320e92715be9a1d8537fbaadcea66751a057096946d06a343bbb14af25fa6

SHA512
84cbb6b46964051da270bc8d9384d3192c9b2b815159f743250bf3773cc85b4f50d15753ce80d4480f9b4665462450a8aa74e201a4e835514301d7f024395b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1857428.exe

Filesize
384KB

MD5
ff8cca1e0a46d6f3e46e7a23b4ae57bb

SHA1
d7636dddee40f24dac5216c2955749f84e9eccc7

SHA256
99b31f8abf6b544f5d75c7fb58180fa0659a4d5ae4f67fffcac9d865c8fed591

SHA512
959dad88fe052e902888f2cdbf450a1c054855a5794ca469e9fbb1fc4bf60b1f50ba3c4e1b1e65a2182b029408443098dedebea72f3958a20392fb44feb552f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1682404.exe

Filesize
185KB

MD5
115a128a75d59f5595098bd66707bc57

SHA1
7638157b9a7b3829bc7cfee9b0d3764d62c4ce69

SHA256
60349accf94329c3cfc5286ca9de825fc1849e9e63eb12ca158cb7143802899d

SHA512
bc75f8fb0cb584bd18f049437161329d336d72eecb607bbd7131e2a366090e8ff066c914e39ae2013fd941ddd70fa2455be24c6b49c0c8b6d4ce17b61e6fdd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9458880.exe

Filesize
337KB

MD5
2fecb5d3bc43008dabdeae42e61dd8da

SHA1
20fdd3273d238425e6a33680df6442ae5c8253dd

SHA256
201bb8fad59eaf8a3623efb724e33dc9c15d6b4de5cff2b93e22cebe82501920

SHA512
d0e949d319c33a799c6369fdef2c7eaddec57a60b275d1a17cc50f479f6ce3c180fc1969d6fbbce8387444bd290156d412038fd73d5aaa9b265afd7b06713f8e

Download Submit
memory/220-79-0x0000000005870000-0x0000000005882000-memory.dmp

Filesize
72KB

Download
memory/220-78-0x0000000005960000-0x0000000005A6A000-memory.dmp

Filesize
1.0MB

Download
memory/220-77-0x0000000005E70000-0x0000000006488000-memory.dmp

Filesize
6.1MB

Download
memory/220-76-0x00000000016B0000-0x00000000016B6000-memory.dmp

Filesize
24KB

Download
memory/220-75-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

Filesize
192KB

Download
memory/220-80-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/220-81-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download
memory/3564-45-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-48-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-42-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-40-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-38-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-36-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-35-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-31-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-32-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-46-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-51-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-52-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-54-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-56-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-58-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3564-30-0x0000000002100000-0x000000000211C000-memory.dmp

Filesize
112KB

Download
memory/3564-29-0x00000000049A0000-0x0000000004F44000-memory.dmp

Filesize
5.6MB

Download
memory/3564-28-0x00000000020B0000-0x00000000020CE000-memory.dmp

Filesize
120KB

Download