amadey | e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe
Size

540KB
MD5

3a43d1c96176e1bcf74d3c2263044759
SHA1

9107fc9c7479bf1c4ddeffc52518583917603b95
SHA256

68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5
SHA512

74197247630636db39089573b49beb6daecef1834e9b4c69e7a7a560e3f7f0a8e3ab3fa591c6a4baaed4d397173c4b8e686daccd923482575ed90bdc582849f3
SSDEEP

12288:cMrsy90R6ibrrpOS4kHIMBz9NMdgCOKoRF2ePk5:wyZibxOS44IaTCYJ+

Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g1935351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g1935351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g1935351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g1935351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g1935351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g1935351.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x0008000000023289-66.dat	family_redline
behavioral13/memory/4024-67-0x0000000000DD0000-0x0000000000E00000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	h5355103.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 6 IoCs

pid	Process
4620	x8203061.exe
2324	g1935351.exe
3164	h5355103.exe
3520	saves.exe
4024	i5208464.exe
2840	saves.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g1935351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g1935351.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8203061.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	g1935351.exe
2324	g1935351.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	g1935351.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4620	2184	68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe	91
PID 2184 wrote to memory of 4620	2184	68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe	91
PID 2184 wrote to memory of 4620	2184	68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe	91
PID 4620 wrote to memory of 2324	4620	x8203061.exe	92
PID 4620 wrote to memory of 2324	4620	x8203061.exe	92
PID 4620 wrote to memory of 2324	4620	x8203061.exe	92
PID 4620 wrote to memory of 3164	4620	x8203061.exe	95
PID 4620 wrote to memory of 3164	4620	x8203061.exe	95
PID 4620 wrote to memory of 3164	4620	x8203061.exe	95
PID 3164 wrote to memory of 3520	3164	h5355103.exe	96
PID 3164 wrote to memory of 3520	3164	h5355103.exe	96
PID 3164 wrote to memory of 3520	3164	h5355103.exe	96
PID 2184 wrote to memory of 4024	2184	68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe	97
PID 2184 wrote to memory of 4024	2184	68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe	97
PID 2184 wrote to memory of 4024	2184	68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe	97
PID 3520 wrote to memory of 1008	3520	saves.exe	98
PID 3520 wrote to memory of 1008	3520	saves.exe	98
PID 3520 wrote to memory of 1008	3520	saves.exe	98
PID 3520 wrote to memory of 908	3520	saves.exe	100
PID 3520 wrote to memory of 908	3520	saves.exe	100
PID 3520 wrote to memory of 908	3520	saves.exe	100
PID 908 wrote to memory of 1000	908	cmd.exe	102
PID 908 wrote to memory of 1000	908	cmd.exe	102
PID 908 wrote to memory of 1000	908	cmd.exe	102
PID 908 wrote to memory of 4412	908	cmd.exe	103
PID 908 wrote to memory of 4412	908	cmd.exe	103
PID 908 wrote to memory of 4412	908	cmd.exe	103
PID 908 wrote to memory of 4508	908	cmd.exe	104
PID 908 wrote to memory of 4508	908	cmd.exe	104
PID 908 wrote to memory of 4508	908	cmd.exe	104
PID 908 wrote to memory of 3748	908	cmd.exe	105
PID 908 wrote to memory of 3748	908	cmd.exe	105
PID 908 wrote to memory of 3748	908	cmd.exe	105
PID 908 wrote to memory of 1960	908	cmd.exe	106
PID 908 wrote to memory of 1960	908	cmd.exe	106
PID 908 wrote to memory of 1960	908	cmd.exe	106
PID 908 wrote to memory of 2552	908	cmd.exe	107
PID 908 wrote to memory of 2552	908	cmd.exe	107
PID 908 wrote to memory of 2552	908	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe
"C:\Users\Admin\AppData\Local\Temp\68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
      "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1000
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        6⤵
        
        PID:4412
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        6⤵
        
        PID:4508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3748
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        6⤵
        
        PID:1960
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        6⤵
        
        PID:2552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe
  2⤵
  - Executes dropped EXE
  PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe

Filesize
174KB

MD5
83d201fab8d323c26aebf61f4edab894

SHA1
0951a1c6ef9d8ea2f2a38f0b1e5d51faa55432b8

SHA256
549b21b8653360d2f6b749eb2358e58a996a35c8f85bde4d7740296bd0bc5e33

SHA512
a4a7c3ece46c6d33214d56f08d8a9d214f312b6d3f6c6bb90012a917eca56387c0645fdda94778eed3049a0e3f6cf7c499de7f3d6218dffceee565ee4c38afca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe

Filesize
384KB

MD5
c0f7a5d560b531fd3bab55cc63236a23

SHA1
9c5a14c3967d7ad535a733918c790906e210cc1c

SHA256
858e0c098977fc7da667404bce45320ad01b73848fcb411a64bb482b15c28881

SHA512
e7179ca343d9a56085b8eade536be7abfb7662436d13aaddcc21e020b5319a893b4c248092d5e07d91a2acec0ee7648f8615ea34179294603f00ff475321a2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe

Filesize
202KB

MD5
ed3eafff4705be9e483b93379ff54f8f

SHA1
6b16c88ae0157be7649469ec2baa13193af8f2b7

SHA256
91e35f49cdd48b97c1c6bacc5d2ee7a1c84e29facb1d9b5d3d2e84e3a8759626

SHA512
f8e02531f40468ed632b562e439d150d7949d5fe0e6355414dd1701d491283daf6f38ad73782eee71d8db53975916f6e8d57edf0ce95e27a41f5869a65f5f7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe

Filesize
337KB

MD5
251aa9e034465b49c7aeabaa9e675211

SHA1
c415e234bf8ff36c6e24e9b4c84247399e49b674

SHA256
3089ab919d4f5b5942e0beb13d3209fd34e783d0658b0170a14642078fb5775f

SHA512
c04cff04f0b32e0013fe50ff88acbad93f75feeff8e14096b24ba4420604617d118deec656f4a899e7ef6bdbc9357d7cf8510fdfe0ea12f102adebc0a9398abe

Download Submit
memory/2324-39-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-32-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-18-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-19-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/2324-20-0x0000000002540000-0x000000000255C000-memory.dmp

Filesize
112KB

Download
memory/2324-21-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-24-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-48-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-47-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-44-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-43-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-40-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-16-0x00000000022B0000-0x00000000022CE000-memory.dmp

Filesize
120KB

Download
memory/2324-36-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-35-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-17-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-30-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-28-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-26-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-22-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2324-49-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2324-51-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-15-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-14-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4024-67-0x0000000000DD0000-0x0000000000E00000-memory.dmp

Filesize
192KB

Download
memory/4024-68-0x0000000002FC0000-0x0000000002FC6000-memory.dmp

Filesize
24KB

Download
memory/4024-69-0x0000000005D00000-0x0000000006318000-memory.dmp

Filesize
6.1MB

Download
memory/4024-70-0x0000000005820000-0x000000000592A000-memory.dmp

Filesize
1.0MB

Download
memory/4024-71-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/4024-72-0x00000000057B0000-0x00000000057EC000-memory.dmp

Filesize
240KB

Download
memory/4024-73-0x0000000005930000-0x000000000597C000-memory.dmp

Filesize
304KB

Download