amadey | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe
Size

599KB
MD5

99fd0b2ec905c3e08b6ab6c8adaf3a4e
SHA1

147be259f83e1f4c2e739d390d4a8a72e8373ee4
SHA256

ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19
SHA512

56a943334d09307861f8f74ef7e858ede2eed15e06dcb2d271938a1eed1039c3ea34811c20965c455ef62b39ca9a2f899e4c559ca420041df28cd022f636705c
SSDEEP

12288:GMriy90WiusxhjG8E57oii214aklgzzfcvrjSnKlkcw63IwJwd:AyTEGv57oiiS4abIvr0KJ3Iww

Score

10^/10

amadey healer redline 59b440 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral19/files/0x0008000000023408-19.dat	healer
behavioral19/memory/4752-22-0x0000000000110000-0x000000000011A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0644070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0644070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0644070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0644070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0644070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0644070.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023406-38.dat	family_redline
behavioral19/memory/2560-39-0x0000000000250000-0x0000000000280000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	saves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	b8368777.exe

Executes dropped EXE 8 IoCs

pid	Process
4088	v5516200.exe
3880	v3430522.exe
4752	a0644070.exe
4120	b8368777.exe
2636	saves.exe
2560	c3588043.exe
4244	saves.exe
8	saves.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0644070.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5516200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3430522.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4752	a0644070.exe
4752	a0644070.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	a0644070.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 4088	4712	ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe	82
PID 4712 wrote to memory of 4088	4712	ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe	82
PID 4712 wrote to memory of 4088	4712	ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe	82
PID 4088 wrote to memory of 3880	4088	v5516200.exe	83
PID 4088 wrote to memory of 3880	4088	v5516200.exe	83
PID 4088 wrote to memory of 3880	4088	v5516200.exe	83
PID 3880 wrote to memory of 4752	3880	v3430522.exe	84
PID 3880 wrote to memory of 4752	3880	v3430522.exe	84
PID 3880 wrote to memory of 4120	3880	v3430522.exe	96
PID 3880 wrote to memory of 4120	3880	v3430522.exe	96
PID 3880 wrote to memory of 4120	3880	v3430522.exe	96
PID 4120 wrote to memory of 2636	4120	b8368777.exe	97
PID 4120 wrote to memory of 2636	4120	b8368777.exe	97
PID 4120 wrote to memory of 2636	4120	b8368777.exe	97
PID 4088 wrote to memory of 2560	4088	v5516200.exe	98
PID 4088 wrote to memory of 2560	4088	v5516200.exe	98
PID 4088 wrote to memory of 2560	4088	v5516200.exe	98
PID 2636 wrote to memory of 4224	2636	saves.exe	99
PID 2636 wrote to memory of 4224	2636	saves.exe	99
PID 2636 wrote to memory of 4224	2636	saves.exe	99
PID 2636 wrote to memory of 2288	2636	saves.exe	101
PID 2636 wrote to memory of 2288	2636	saves.exe	101
PID 2636 wrote to memory of 2288	2636	saves.exe	101
PID 2288 wrote to memory of 4484	2288	cmd.exe	103
PID 2288 wrote to memory of 4484	2288	cmd.exe	103
PID 2288 wrote to memory of 4484	2288	cmd.exe	103
PID 2288 wrote to memory of 3360	2288	cmd.exe	104
PID 2288 wrote to memory of 3360	2288	cmd.exe	104
PID 2288 wrote to memory of 3360	2288	cmd.exe	104
PID 2288 wrote to memory of 4696	2288	cmd.exe	105
PID 2288 wrote to memory of 4696	2288	cmd.exe	105
PID 2288 wrote to memory of 4696	2288	cmd.exe	105
PID 2288 wrote to memory of 1324	2288	cmd.exe	106
PID 2288 wrote to memory of 1324	2288	cmd.exe	106
PID 2288 wrote to memory of 1324	2288	cmd.exe	106
PID 2288 wrote to memory of 1084	2288	cmd.exe	107
PID 2288 wrote to memory of 1084	2288	cmd.exe	107
PID 2288 wrote to memory of 1084	2288	cmd.exe	107
PID 2288 wrote to memory of 1168	2288	cmd.exe	108
PID 2288 wrote to memory of 1168	2288	cmd.exe	108
PID 2288 wrote to memory of 1168	2288	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe
"C:\Users\Admin\AppData\Local\Temp\ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5516200.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5516200.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3430522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3430522.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0644070.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0644070.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8368777.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8368777.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4224
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        7⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        7⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        7⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        7⤵
        
        PID:1168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3588043.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3588043.exe
    3⤵
    - Executes dropped EXE
    PID:2560

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5516200.exe

Filesize
433KB

MD5
e6595b4d6fd15663f06c3594db4dfe50

SHA1
24fee44ab987c4531fa2b380a2df5d2d40a73c13

SHA256
51adbc5244e4c5ea3689bd52a3860e6f1c69d3940af795b9683daf441f774a64

SHA512
7484b136dc4afb1ecc8efce92494ca539f6d8bca7f357b0b4c2fefc4ea11840d6a5e090d63823c7364807621bf0d0f74fd8c3497d1d4a234376f0837fabaf411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3588043.exe

Filesize
174KB

MD5
aec732227f9d701a02ee6c90656fbe16

SHA1
41e9d731437113a9331c8b235e68d6d5daffa5b4

SHA256
4bfacd17a8b4d521a26e532f3cac2767e89dff2c4d8b6b16e2c71cd72dd85804

SHA512
2e2933535a53398213681f0a6edb30c23275a7278a508aad35a615f3aadba9099aabf451945e6d743b4e781dbe9eff27c089485f57a4e39937464a948d0e9e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3430522.exe

Filesize
277KB

MD5
d3c2c229ca7de382c15a52f3aeda40d5

SHA1
011e32720badb79f521659bb310d60b633aaeb49

SHA256
943dcd08fb98f5284328bd6e86c962322e213aabe5dc67c48719bb2c787780c9

SHA512
806651e9c7394e415495dd1448d5e354f7418da12f267e83f18e696a751dfe4bb02a1be69aad9012c016ace482809a9d7bf27df828d68b1f041e9a7d8ded2455

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0644070.exe

Filesize
11KB

MD5
329ce153c10642b207f9c422a99d150b

SHA1
d36a52feca19dbff397b2c5dbd3ca2f5a3a55ea6

SHA256
78959e959ccb966d4100917352bbc10d34d7fe70c00f285cb80e8ce8f518ec5f

SHA512
8158009b0302934fbbe0b2e4ce2cb63235dc8b020bdb27f7b15914acdd1b8ca6f06fac5c4878ab3e12328952e1ef876e67b3e5fd16e5497ad2f8678b4d89254d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8368777.exe

Filesize
337KB

MD5
1961ee045eedd30f664de6151e814f8e

SHA1
cc0c333ea8604f15efa9dc99065dbaf4df993ee2

SHA256
f67bc6761c1b6fedb1778d40bf39457fbd31b7a2afa7e7d20aa90e25d1849eba

SHA512
1cfceee990a94edb609948911f2e4025e6943c087a4db921860aeaafec4735f88b23d21da001e38aaf0c4e9515fde9873a9b193f336b35ce4a43d925d029eafd

Download Submit
memory/2560-41-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/2560-39-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2560-40-0x0000000000B00000-0x0000000000B06000-memory.dmp

Filesize
24KB

Download
memory/2560-42-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

Filesize
1.0MB

Download
memory/2560-43-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

Filesize
72KB

Download
memory/2560-44-0x0000000004C00000-0x0000000004C3C000-memory.dmp

Filesize
240KB

Download
memory/2560-45-0x0000000004C80000-0x0000000004CCC000-memory.dmp

Filesize
304KB

Download
memory/4752-22-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/4752-21-0x00007FF91AFE3000-0x00007FF91AFE5000-memory.dmp

Filesize
8KB

Download