amadey | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bcf3e48a23154e18a57f5f75e8997e1399e48275d8e3f11ae57ae34df1ede50.exe
Size

556KB
MD5

040899caf7edf1bc3e51a4588f4e78a2
SHA1

b88ddd0efc7d17fba414e50563ff088771b8e3a1
SHA256

9bcf3e48a23154e18a57f5f75e8997e1399e48275d8e3f11ae57ae34df1ede50
SHA512

18a92030c4aff2efb602a10f554094274ea935e6ba10bab7f9809d01997671c7d646d151c489ebc9f8dd0ad50a8d90d2c2fb1a4e90c75c382e10b585f8ca9b44
SSDEEP

12288:yMrWy90llnnc4seQZ5nYKpU/zSZhp50zoPI:4ygseQ9U/zSnpezog

Score

10^/10

amadey healer redline fb0fb8 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral9/files/0x0008000000023422-19.dat	healer
behavioral9/memory/1228-21-0x0000000000560000-0x000000000056A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4601749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4601749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4601749.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4601749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4601749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4601749.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral9/files/0x0007000000023420-38.dat	family_redline
behavioral9/memory/3108-39-0x0000000000010000-0x0000000000040000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	b8674621.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 9 IoCs

pid	Process
3056	v5839185.exe
2788	v3589007.exe
1228	a4601749.exe
5024	b8674621.exe
1584	explonde.exe
3108	c1856455.exe
4076	explonde.exe
1148	explonde.exe
4568	explonde.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4601749.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5839185.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3589007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9bcf3e48a23154e18a57f5f75e8997e1399e48275d8e3f11ae57ae34df1ede50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1228	a4601749.exe
1228	a4601749.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	a4601749.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 3056	2796	9bcf3e48a23154e18a57f5f75e8997e1399e48275d8e3f11ae57ae34df1ede50.exe	82
PID 2796 wrote to memory of 3056	2796	9bcf3e48a23154e18a57f5f75e8997e1399e48275d8e3f11ae57ae34df1ede50.exe	82
PID 2796 wrote to memory of 3056	2796	9bcf3e48a23154e18a57f5f75e8997e1399e48275d8e3f11ae57ae34df1ede50.exe	82
PID 3056 wrote to memory of 2788	3056	v5839185.exe	83
PID 3056 wrote to memory of 2788	3056	v5839185.exe	83
PID 3056 wrote to memory of 2788	3056	v5839185.exe	83
PID 2788 wrote to memory of 1228	2788	v3589007.exe	84
PID 2788 wrote to memory of 1228	2788	v3589007.exe	84
PID 2788 wrote to memory of 5024	2788	v3589007.exe	95
PID 2788 wrote to memory of 5024	2788	v3589007.exe	95
PID 2788 wrote to memory of 5024	2788	v3589007.exe	95
PID 5024 wrote to memory of 1584	5024	b8674621.exe	96
PID 5024 wrote to memory of 1584	5024	b8674621.exe	96
PID 5024 wrote to memory of 1584	5024	b8674621.exe	96
PID 3056 wrote to memory of 3108	3056	v5839185.exe	97
PID 3056 wrote to memory of 3108	3056	v5839185.exe	97
PID 3056 wrote to memory of 3108	3056	v5839185.exe	97
PID 1584 wrote to memory of 1812	1584	explonde.exe	98
PID 1584 wrote to memory of 1812	1584	explonde.exe	98
PID 1584 wrote to memory of 1812	1584	explonde.exe	98
PID 1584 wrote to memory of 4892	1584	explonde.exe	100
PID 1584 wrote to memory of 4892	1584	explonde.exe	100
PID 1584 wrote to memory of 4892	1584	explonde.exe	100
PID 4892 wrote to memory of 456	4892	cmd.exe	102
PID 4892 wrote to memory of 456	4892	cmd.exe	102
PID 4892 wrote to memory of 456	4892	cmd.exe	102
PID 4892 wrote to memory of 516	4892	cmd.exe	103
PID 4892 wrote to memory of 516	4892	cmd.exe	103
PID 4892 wrote to memory of 516	4892	cmd.exe	103
PID 4892 wrote to memory of 4656	4892	cmd.exe	104
PID 4892 wrote to memory of 4656	4892	cmd.exe	104
PID 4892 wrote to memory of 4656	4892	cmd.exe	104
PID 4892 wrote to memory of 4264	4892	cmd.exe	105
PID 4892 wrote to memory of 4264	4892	cmd.exe	105
PID 4892 wrote to memory of 4264	4892	cmd.exe	105
PID 4892 wrote to memory of 2400	4892	cmd.exe	106
PID 4892 wrote to memory of 2400	4892	cmd.exe	106
PID 4892 wrote to memory of 2400	4892	cmd.exe	106
PID 4892 wrote to memory of 4912	4892	cmd.exe	107
PID 4892 wrote to memory of 4912	4892	cmd.exe	107
PID 4892 wrote to memory of 4912	4892	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\9bcf3e48a23154e18a57f5f75e8997e1399e48275d8e3f11ae57ae34df1ede50.exe
"C:\Users\Admin\AppData\Local\Temp\9bcf3e48a23154e18a57f5f75e8997e1399e48275d8e3f11ae57ae34df1ede50.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5839185.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5839185.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3589007.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3589007.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4601749.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4601749.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8674621.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8674621.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1812
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        7⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        7⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1856455.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1856455.exe
    3⤵
    - Executes dropped EXE
    PID:3108

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5839185.exe

Filesize
389KB

MD5
6113c47d537bbb2f3e83fdda4ff28855

SHA1
97d8bd8c08ace62ddee2757bea79c61664696951

SHA256
cdd210d9d7b730541bcc7d4910ba82451d56e84fdb7f1da2f880a18b25c208d4

SHA512
c8c2cf3d8edf1cf3704cbd12ebb1b53d46c3bbd786f17dc4aec51e4f9a7111fcaac3c951fdab26d4c90001b0325193e4009379e70dfdd97f0d5fa67c1ed80c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1856455.exe

Filesize
175KB

MD5
fd40f59345810ffa1881a668be571fe8

SHA1
2d6b9b246b32bc3489897bc3d4b9d1c3a7d452ad

SHA256
aea77b8f02605b7248672c4995b59979729fa8e85e8e2a959ad0098a2e095195

SHA512
4ecb88dbda163c094e98c49e29e4ca352e1608f2a2164a77197dc897ae8d8e43a70dba53444eae744f86df709e6f5ac731ff300aaeccb20f58336eea0e1aeabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3589007.exe

Filesize
234KB

MD5
ac5e48c10b0295a343a47d0055d2504c

SHA1
1a4acec865c7962d84234297a0b89bbd954169db

SHA256
18b6fbce88bb4de5f2010616279b61dbd32c55f7698423bed1506ae2bdd52af3

SHA512
d113692067354a9270295f679ed46cb705ada1304ac5b52ee96eefe8b17643fa0a374d3a35885974a201ba98ab99aa2270e3de352da362d3a515cd9bd9b3900a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4601749.exe

Filesize
11KB

MD5
f061ffc02a0f4bbcb07725b34547d624

SHA1
48f160581b0279f1b30c09591c344556e5fa4116

SHA256
9c8936c0b0965a7269ebb525dcdfb1b3d30c3d5ff3a6aea102f57f59ddcf9e43

SHA512
4cdc7122165211cbab2fb7b021e2a002248d38c36777d54fa2b9fac81d5635f4330145dabb8ea9643ecd4a9b2286d817cb4f8a272b2bb3a0f8fa2a8a2be65fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8674621.exe

Filesize
219KB

MD5
1fd5a8de084e8e68125da41efe18ccd5

SHA1
8428a86e0699832b6fe67018513d9a906b91ca0f

SHA256
3a524eb2b67ed8c1d6544aec05422f8809254451f51380cfc375d485b4f66bdc

SHA512
fb48094166a94186739a4312ed834c58161f9fb86e2056da143d1857493a2de00bfa1a1ca85cf4d76429ec37f0628ba8343195219664ed259eebbabc8fd1eed7

Download Submit
memory/1228-22-0x00007FFC7BAE3000-0x00007FFC7BAE5000-memory.dmp

Filesize
8KB

Download
memory/1228-21-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/3108-39-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/3108-40-0x0000000000A60000-0x0000000000A66000-memory.dmp

Filesize
24KB

Download
memory/3108-41-0x000000000A380000-0x000000000A998000-memory.dmp

Filesize
6.1MB

Download
memory/3108-42-0x0000000009E80000-0x0000000009F8A000-memory.dmp

Filesize
1.0MB

Download
memory/3108-43-0x0000000009DB0000-0x0000000009DC2000-memory.dmp

Filesize
72KB

Download
memory/3108-44-0x0000000009E10000-0x0000000009E4C000-memory.dmp

Filesize
240KB

Download
memory/3108-45-0x00000000022B0000-0x00000000022FC000-memory.dmp

Filesize
304KB

Download