Overview

overview

10

Static

static

3

1bd70f5afc...20.exe

windows10-2004-x64

10

20d5ad811e...b7.exe

windows10-2004-x64

10

2ca6e4b470...97.exe

windows10-2004-x64

10

30323f682e...18.exe

windows10-2004-x64

10

426e1b8066...18.exe

windows10-2004-x64

10

43ea4b5927...9e.exe

windows10-2004-x64

10

44ba27c950...f2.exe

windows10-2004-x64

10

6e35231281...45.exe

windows10-2004-x64

10

7cac44d1ec...c4.exe

windows10-2004-x64

10

823db2b88d...40.exe

windows10-2004-x64

10

a884418225...db.exe

windows10-2004-x64

10

c68d91a00f...d2.exe

windows10-2004-x64

10

cabcad649e...d3.exe

windows7-x64

10

cabcad649e...d3.exe

windows10-2004-x64

10

cb4c64011d...ef.exe

windows10-2004-x64

10

d55f431b8e...57.exe

windows10-2004-x64

10

dea00ebf60...e0.exe

windows10-2004-x64

10

e017c199a6...9b.exe

windows10-2004-x64

10

e01acda385...7b.exe

windows10-2004-x64

10

e46b62442d...14.exe

windows10-2004-x64

10

ef7029b98b...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8844182255c5383be20ec415b7286551bb27f4713458001503fbb103d2c31db.exe

  • Size

    540KB

  • MD5

    e608e4390308014ed2506afc51f37aff

  • SHA1

    76512e644442202163b9f2263e27f47419cf23a9

  • SHA256

    a8844182255c5383be20ec415b7286551bb27f4713458001503fbb103d2c31db

  • SHA512

    3207e41e9cd605f656c2ab67e3a1ecd6683a122997c1e2ce0c6d1d81cc386c0b35f63ccca8544666edefe5d0f62ed13f15e6e40f174f5c8165fc02ea7c258676

  • SSDEEP

    12288:bMrWy908tzVcJEW7nALhp1z/px4WrIeZux1M0B:9yltezAtnRu3B

Score
10/10
amadeyredline59b440mrakevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8844182255c5383be20ec415b7286551bb27f4713458001503fbb103d2c31db.exe
    "C:\Users\Admin\AppData\Local\Temp\a8844182255c5383be20ec415b7286551bb27f4713458001503fbb103d2c31db.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9166939.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9166939.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7009689.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7009689.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4950174.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4950174.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
          "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:856
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:3896
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4764
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:3508
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:N"
                6⤵
                  PID:3088
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "saves.exe" /P "Admin:R" /E
                  6⤵
                    PID:4544
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:2672
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:N"
                      6⤵
                        PID:5096
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\b40d11255d" /P "Admin:R" /E
                        6⤵
                          PID:2348
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4008213.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4008213.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4356
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3200
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4912
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2744

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4008213.exe
                Filesize

                174KB

                MD5

                6a20737a37ee24b3b28ed46548f871e1

                SHA1

                615053da4812c8bf1814363bdeb7a09e6f62196c

                SHA256

                e080d79e5cae4f7253db965101a7709fa1130356069e10ffea740150e2ecb482

                SHA512

                0c9e04bec87bf7fe74306124c9ec63f56e9c0513f164653ae6725661f98586b64d73355c99c0c987b4beea0fdd7b4d48c9897a1b28045599c478cc43f251f472

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9166939.exe
                Filesize

                384KB

                MD5

                8dd96d3d419e69bb26fde5ca54470add

                SHA1

                3dda8297ae0462ac520bd7ad085bbecc21fe2229

                SHA256

                5f4bf51f1afd24dc95fbe0df3839ada154901c53111431bb5ca5d769487c5e4a

                SHA512

                199f63676c9c98692869574d0e73dd504f8fef30ce778443ffe3ddd5af7d41877c9b6a3e66fc9c2b915b300a4eba25129b24021a68c4903bfba35784ba1fc434

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7009689.exe
                Filesize

                202KB

                MD5

                a797676be3b12d4ec8a29d6a30d63b94

                SHA1

                a5d18568ca0c6ae8ab6d90f7a0241166625e4f63

                SHA256

                520d4cbc21e534f0361fe9b7ace50f8b53e32b2eff4ebb43a256f774ddc959d7

                SHA512

                2aef3216429bcbbfab677c69f185331a225f1e39579cd376e20fa1f892104bd19aa7146abf15f48190fdfc03606b02f1b77a0967a99b148e21b9373a01d9d6e8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4950174.exe
                Filesize

                337KB

                MD5

                bc140b49ea1c3ed0cf9ee0b650d6cc1f

                SHA1

                b83c173a03dda654e1c9dd6f3025f88dd24e6c46

                SHA256

                1ca720f59d0518d8c2fd5cbf6d42a1810e09e63119afe72305be29666a4b64ef

                SHA512

                3044e9696780dfd3b6583c3c2b07c152970b70a161cb1714dcb65aef25741eac8d8fdf4bf6d85e6caf9189d832abd141160e954695ae6855d377b5ffc16023c3

                Download Submit

              • memory/428-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-18-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/428-19-0x0000000073BA0000-0x0000000074350000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/428-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-48-0x0000000073BA0000-0x0000000074350000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/428-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-30-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-16-0x0000000004C50000-0x00000000051F4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/428-23-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-21-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-17-0x0000000073BA0000-0x0000000074350000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/428-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-20-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/428-50-0x0000000073BA0000-0x0000000074350000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/428-15-0x00000000024B0000-0x00000000024CE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/428-14-0x0000000073BAE000-0x0000000073BAF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4356-66-0x0000000000460000-0x0000000000490000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4356-67-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4356-68-0x00000000053D0000-0x00000000059E8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4356-70-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4356-69-0x0000000004EC0000-0x0000000004FCA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4356-71-0x0000000004E40000-0x0000000004E7C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4356-72-0x0000000004FD0000-0x000000000501C000-memory.dmp

                Filesize

                304KB

                Download