amadey | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe
Size

903KB
MD5

56cbf85c17dc70913672f90b1f36fbfc
SHA1

205c818fd0e8d76ea21b3cd03704a2ae71f85a76
SHA256

9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4
SHA512

dbdde039478539be601d9bec0e9d88ed590f3c35ddf9e98eefe10affcf9dc7b809349741c4ef2ab740d0af6352dd0ce46412028b77a516a1ac6475bcb4c2c5db
SSDEEP

24576:byb2x0Hx9Isn62mKFE0e1PMGI4InO6fbWaqErse0mdbi:OU0Hx9ISMKFE0eZMlndbsezd

Score

10^/10

amadey redline 59b440 mrak infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6024603.exe	family_redline
behavioral13/memory/2012-33-0x0000000000EE0000-0x0000000000F10000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l1483425.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	l1483425.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 7 IoCs

Processes:

y7112759.exey8185233.exel1483425.exesaves.exen6024603.exesaves.exesaves.exe

pid process

3980 y7112759.exe
2944 y8185233.exe
2776 l1483425.exe
2572 saves.exe
2012 n6024603.exe
4848 saves.exe
4020 saves.exe

pid	process
3980	y7112759.exe
2944	y8185233.exe
2776	l1483425.exe
2572	saves.exe
2012	n6024603.exe
4848	saves.exe
4020	saves.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exey7112759.exey8185233.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7112759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8185233.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3272 schtasks.exe

pid	process
3272	schtasks.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exey7112759.exey8185233.exel1483425.exesaves.execmd.exe

description	pid	process	target process
PID 1584 wrote to memory of 3980	1584	9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe	y7112759.exe
PID 1584 wrote to memory of 3980	1584	9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe	y7112759.exe
PID 1584 wrote to memory of 3980	1584	9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe	y7112759.exe
PID 3980 wrote to memory of 2944	3980	y7112759.exe	y8185233.exe
PID 3980 wrote to memory of 2944	3980	y7112759.exe	y8185233.exe
PID 3980 wrote to memory of 2944	3980	y7112759.exe	y8185233.exe
PID 2944 wrote to memory of 2776	2944	y8185233.exe	l1483425.exe
PID 2944 wrote to memory of 2776	2944	y8185233.exe	l1483425.exe
PID 2944 wrote to memory of 2776	2944	y8185233.exe	l1483425.exe
PID 2776 wrote to memory of 2572	2776	l1483425.exe	saves.exe
PID 2776 wrote to memory of 2572	2776	l1483425.exe	saves.exe
PID 2776 wrote to memory of 2572	2776	l1483425.exe	saves.exe
PID 2944 wrote to memory of 2012	2944	y8185233.exe	n6024603.exe
PID 2944 wrote to memory of 2012	2944	y8185233.exe	n6024603.exe
PID 2944 wrote to memory of 2012	2944	y8185233.exe	n6024603.exe
PID 2572 wrote to memory of 3272	2572	saves.exe	schtasks.exe
PID 2572 wrote to memory of 3272	2572	saves.exe	schtasks.exe
PID 2572 wrote to memory of 3272	2572	saves.exe	schtasks.exe
PID 2572 wrote to memory of 2768	2572	saves.exe	cmd.exe
PID 2572 wrote to memory of 2768	2572	saves.exe	cmd.exe
PID 2572 wrote to memory of 2768	2572	saves.exe	cmd.exe
PID 2768 wrote to memory of 1996	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 1996	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 1996	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 4312	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 4312	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 4312	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1136	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1136	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1136	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1484	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 1484	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 1484	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2284	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 2284	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 2284	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1732	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1732	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1732	2768	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe
"C:\Users\Admin\AppData\Local\Temp\9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7112759.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7112759.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8185233.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8185233.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1483425.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1483425.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
6⤵
- Creates scheduled task(s)
PID:3272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1996

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
7⤵
PID:4312

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
7⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1484

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
7⤵
PID:2284

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
7⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6024603.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6024603.exe
4⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7112759.exe
Filesize
822KB

MD5
0e9909e9fd5294ab652141221853b24c

SHA1
4385b57935cf20cefb551e76ed07f7b1b570a1ea

SHA256
122f09b7df2071714e67c540ed9b44a34e4693254bd5c80d4aecc68ce4f457aa

SHA512
2ad71e8837fcc072e85314e750fa6370d40fefb93f8338c944da7e75d9af9a2f4847e19df5f9398e31d076fe71d85d86ed7d9349cbace26a2a8d6b37ebb9c412

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8185233.exe
Filesize
331KB

MD5
f728f659451c1e0feb0f699e074f20b1

SHA1
192f0ec37208ca2eb609e94c363b1b8a5f25847f

SHA256
768dd9a148a0ba170b2ff6beb9373e0bebd8905ca633e5472c941c9d55d712f2

SHA512
e2bf3a0d2ca9a8005048340c2d04bea767b208bf7d248e6ec320dac493660e378d38065d6188a3b700456af20d21fa6af9122035025a2d0167e69d8f9d3d9d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1483425.exe
Filesize
337KB

MD5
de17c1b707dacb39f3417d27ad096c21

SHA1
8a24d39ef5d2581f985b758265914f44ce932c4b

SHA256
5216bd418236aedf2cdb7fdc56a0a7a806f67e69b030cf8591edc9514630fefa

SHA512
92c1defb3a5fc57de7d4513bc1bd806c5bb0ff953ad7c3f2c18569e90c917cae8455351a3bdc05a7ec82623b4ebcd256137741645dfe8ce79be3767983f6219d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6024603.exe
Filesize
174KB

MD5
48e594c677f7b1eb3409f6fea8013ad3

SHA1
47a6635597279b01be1b8c24ddf00206008c5c2f

SHA256
889c7152986d17371dbadee509047f764986603450990994389a0d805238b1f8

SHA512
51b3a83c8d822f5072ae735e6d1dca23787b1a43e3e043113293c265684c1760764749fe9c74a9cc2a3755784fecbd508c1aa2cb3635dc18297a97bcb03ae455

Download Submit
memory/2012-33-0x0000000000EE0000-0x0000000000F10000-memory.dmp

Filesize
192KB

Download
memory/2012-34-0x0000000003270000-0x0000000003276000-memory.dmp

Filesize
24KB

Download
memory/2012-35-0x0000000006080000-0x0000000006698000-memory.dmp

Filesize
6.1MB

Download
memory/2012-36-0x0000000005B70000-0x0000000005C7A000-memory.dmp

Filesize
1.0MB

Download
memory/2012-37-0x0000000005890000-0x00000000058A2000-memory.dmp

Filesize
72KB

Download
memory/2012-38-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/2012-39-0x0000000005A60000-0x0000000005AAC000-memory.dmp

Filesize
304KB

Download