amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe
Size

812KB
MD5

79983cb4cd4ed44124acf90324aab153
SHA1

95cbc2ecd9756f962ec62f265dd70b37efc50fe0
SHA256

346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726
SHA512

a2d737b6436c7550ed5d3f2c8d3cd06f21b019613ea71791f9b9f519eeb54e9c2ac0a0290577c86f2afe56f81161dfb981dc00a8e2483ad152b4e3784fc9ba63
SSDEEP

12288:0MrEy90SXhiDq45nmnagUKW2WjcYOTDXKznBc6RZkReqPNgUnnTwR:QyNq3ma+sLAuBc6RkeqPNgJR

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g7530371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g7530371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g7530371.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g7530371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g7530371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g7530371.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000700000002341f-73.dat	family_redline
behavioral4/memory/2672-75-0x00000000002E0000-0x0000000000310000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	h7155042.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

pid	Process
2452	x8557537.exe
2544	x6246659.exe
2428	x6145980.exe
2728	g7530371.exe
4348	h7155042.exe
4192	saves.exe
2672	i7725090.exe
4392	saves.exe
2572	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g7530371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g7530371.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8557537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6246659.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x6145980.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	g7530371.exe
2728	g7530371.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	g7530371.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2452	4412	346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe	83
PID 4412 wrote to memory of 2452	4412	346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe	83
PID 4412 wrote to memory of 2452	4412	346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe	83
PID 2452 wrote to memory of 2544	2452	x8557537.exe	84
PID 2452 wrote to memory of 2544	2452	x8557537.exe	84
PID 2452 wrote to memory of 2544	2452	x8557537.exe	84
PID 2544 wrote to memory of 2428	2544	x6246659.exe	85
PID 2544 wrote to memory of 2428	2544	x6246659.exe	85
PID 2544 wrote to memory of 2428	2544	x6246659.exe	85
PID 2428 wrote to memory of 2728	2428	x6145980.exe	86
PID 2428 wrote to memory of 2728	2428	x6145980.exe	86
PID 2428 wrote to memory of 2728	2428	x6145980.exe	86
PID 2428 wrote to memory of 4348	2428	x6145980.exe	93
PID 2428 wrote to memory of 4348	2428	x6145980.exe	93
PID 2428 wrote to memory of 4348	2428	x6145980.exe	93
PID 4348 wrote to memory of 4192	4348	h7155042.exe	94
PID 4348 wrote to memory of 4192	4348	h7155042.exe	94
PID 4348 wrote to memory of 4192	4348	h7155042.exe	94
PID 2544 wrote to memory of 2672	2544	x6246659.exe	95
PID 2544 wrote to memory of 2672	2544	x6246659.exe	95
PID 2544 wrote to memory of 2672	2544	x6246659.exe	95
PID 4192 wrote to memory of 452	4192	saves.exe	96
PID 4192 wrote to memory of 452	4192	saves.exe	96
PID 4192 wrote to memory of 452	4192	saves.exe	96
PID 4192 wrote to memory of 2540	4192	saves.exe	98
PID 4192 wrote to memory of 2540	4192	saves.exe	98
PID 4192 wrote to memory of 2540	4192	saves.exe	98
PID 2540 wrote to memory of 2476	2540	cmd.exe	100
PID 2540 wrote to memory of 2476	2540	cmd.exe	100
PID 2540 wrote to memory of 2476	2540	cmd.exe	100
PID 2540 wrote to memory of 2484	2540	cmd.exe	101
PID 2540 wrote to memory of 2484	2540	cmd.exe	101
PID 2540 wrote to memory of 2484	2540	cmd.exe	101
PID 2540 wrote to memory of 3256	2540	cmd.exe	102
PID 2540 wrote to memory of 3256	2540	cmd.exe	102
PID 2540 wrote to memory of 3256	2540	cmd.exe	102
PID 2540 wrote to memory of 1752	2540	cmd.exe	103
PID 2540 wrote to memory of 1752	2540	cmd.exe	103
PID 2540 wrote to memory of 1752	2540	cmd.exe	103
PID 2540 wrote to memory of 3272	2540	cmd.exe	104
PID 2540 wrote to memory of 3272	2540	cmd.exe	104
PID 2540 wrote to memory of 3272	2540	cmd.exe	104
PID 2540 wrote to memory of 2404	2540	cmd.exe	105
PID 2540 wrote to memory of 2404	2540	cmd.exe	105
PID 2540 wrote to memory of 2404	2540	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe
"C:\Users\Admin\AppData\Local\Temp\346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8557537.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8557537.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6246659.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6246659.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6145980.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6145980.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7530371.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7530371.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7155042.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7155042.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7725090.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7725090.exe
      4⤵
      Executes dropped EXE
      PID:2672

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8557537.exe

Filesize
706KB

MD5
0549740dd9ed1b5169b354947a444ee1

SHA1
f688a9cd705ee364fb99c1d72ff67b7810c3fa24

SHA256
e417d86797b78db09243dedd0d51894bbfa916b94220c6b01b19eca7b4e51702

SHA512
216d9be54aac7ef8d97a393e9f76556e03d14ea9896293b5991e518bdee73332fbe4a3a6c9bb7aa874a782382686592def26a816351da1b749999da9716884b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6246659.exe

Filesize
540KB

MD5
54d1b908865065910d815a37fe12f9d3

SHA1
f6d9fedc238fb4a66eb4ceb33a265d4a5e18e46d

SHA256
8132da80609e96c10b9620e3fabdb77f405e2b22157bdd7107fbdcc082d07f7a

SHA512
37cc75321d556942ca19f5f4f2552286a3b3cbb7d0d3b5659a5f322f4b2e228fc5cebe5ca7ddd84b7d47f932cb910531a9e123fc40ea2f658cc2074d76536aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7725090.exe

Filesize
174KB

MD5
bfea8f5e4c85a611bfb5cedba8bf941c

SHA1
495d19da1a6615a5655c830d3d7806adf7c105e7

SHA256
159d49f08bd4f7497c089318fe7794450a6c891b840fc517ada2a0e5df8b9270

SHA512
0571557080360d47047a0f355ed4ba2a64b71221f73f3036b8ac9b06e6901dc6f8df34561c36d3b5e1fe7859a9dbcb3d5b6344dfab58170b5bc13a55a36b0bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6145980.exe

Filesize
384KB

MD5
c2a521cee3b4aac1f92a48fd3803c6a2

SHA1
635a5fb377d1a16efbe93efae96fe10bdf1638d1

SHA256
4f75dcc5952d4679c66124bbf9cf28759d6dd2714d395363a5ff1c3f0911c457

SHA512
a799dbc6fd26cd45d6105de41730c8a1ba31490311123d4ed1061a70f5e46e44b859374e327bf885d5cd22389447fb2387143c661f520749c97414009ea2a980

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7530371.exe

Filesize
202KB

MD5
695025a4ce6d5f8e7e80b12e273d0b47

SHA1
df47785e8e9a26bb823b730c0a973eca04ca141f

SHA256
2ef88475f02b5367cc950a1eecba258d38e4b13d92728b003a44b0a9da90ffdf

SHA512
6deae214bc91fcb617be8d895a2db4a3fce6dcb3f420a5c2a5a527ebd8c3b6dbbec972ba63f77383e07834048be511fe269776c7324719c7418fcfe39d31cbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7155042.exe

Filesize
337KB

MD5
b48c7ccfd84728a8754ec473bdc21743

SHA1
3d9a5aa07379c7315a90f282e0c330cc2c152433

SHA256
3e589f14ff50842ccc151e5ab6672b1fae03b80beb9e7ff59514269d98b40c40

SHA512
d6984102701fd7be24f1ed47c21e4ccbfa1ff0f6c94ad0d7df746e3106d94033cbc41b62ed593bdf41b71bf20375a40916c6e6702657429c9c53344fa5602bec

Download Submit
memory/2672-79-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/2672-78-0x0000000004D30000-0x0000000004E3A000-memory.dmp

Filesize
1.0MB

Download
memory/2672-77-0x0000000005240000-0x0000000005858000-memory.dmp

Filesize
6.1MB

Download
memory/2672-76-0x0000000004AC0000-0x0000000004AC6000-memory.dmp

Filesize
24KB

Download
memory/2672-75-0x00000000002E0000-0x0000000000310000-memory.dmp

Filesize
192KB

Download
memory/2672-80-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

Filesize
240KB

Download
memory/2672-81-0x0000000004E40000-0x0000000004E8C000-memory.dmp

Filesize
304KB

Download
memory/2728-42-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-50-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-40-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-38-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-36-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-34-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-48-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-32-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-31-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-46-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-52-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-54-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-56-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-58-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-44-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/2728-30-0x00000000049A0000-0x00000000049BC000-memory.dmp

Filesize
112KB

Download
memory/2728-29-0x0000000004AB0000-0x0000000005054000-memory.dmp

Filesize
5.6MB

Download
memory/2728-28-0x00000000022B0000-0x00000000022CE000-memory.dmp

Filesize
120KB

Download