amadey | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe
Size

306KB
MD5

ec6af98de3dd9a3fadfe95b861b2160e
SHA1

a34ee5b67a3e3169c5de23624f348783f46954f9
SHA256

d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04
SHA512

3bf37e1410c921e2a061e779d2b6e9464847341387d53c1d44d9151a6e2637f5cdce3c10591c8997e4ee08f2619db299dfb8d90fcf53fd6b66496c13652b9886
SSDEEP

6144:Khy+bnr+mp0yN90QEbWq96aGBAIVPXdXlDVdIIrHq+Nu9Mq7KJ:DMrCy90pj0/BACZuIrK+NQc

Score

10^/10

amadey redline 04d170 larek infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

larek

77.91.124.55:19071

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dp344ZR.exe	family_redline
behavioral19/memory/4956-19-0x00000000000D0000-0x000000000010E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aP28RD.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	aP28RD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 5 IoCs

Processes:

aP28RD.exeexplothe.exedp344ZR.exeexplothe.exeexplothe.exe

pid process

4080 aP28RD.exe
2768 explothe.exe
4956 dp344ZR.exe
3880 explothe.exe
5116 explothe.exe

pid	process
4080	aP28RD.exe
2768	explothe.exe
4956	dp344ZR.exe
3880	explothe.exe
5116	explothe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4056 schtasks.exe

pid	process
4056	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exeaP28RD.exeexplothe.execmd.exe

description	pid	process	target process
PID 4528 wrote to memory of 4080	4528	d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe	aP28RD.exe
PID 4528 wrote to memory of 4080	4528	d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe	aP28RD.exe
PID 4528 wrote to memory of 4080	4528	d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe	aP28RD.exe
PID 4080 wrote to memory of 2768	4080	aP28RD.exe	explothe.exe
PID 4080 wrote to memory of 2768	4080	aP28RD.exe	explothe.exe
PID 4080 wrote to memory of 2768	4080	aP28RD.exe	explothe.exe
PID 4528 wrote to memory of 4956	4528	d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe	dp344ZR.exe
PID 4528 wrote to memory of 4956	4528	d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe	dp344ZR.exe
PID 4528 wrote to memory of 4956	4528	d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe	dp344ZR.exe
PID 2768 wrote to memory of 4056	2768	explothe.exe	schtasks.exe
PID 2768 wrote to memory of 4056	2768	explothe.exe	schtasks.exe
PID 2768 wrote to memory of 4056	2768	explothe.exe	schtasks.exe
PID 2768 wrote to memory of 2940	2768	explothe.exe	cmd.exe
PID 2768 wrote to memory of 2940	2768	explothe.exe	cmd.exe
PID 2768 wrote to memory of 2940	2768	explothe.exe	cmd.exe
PID 2940 wrote to memory of 404	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 404	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 404	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 5044	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 5044	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 5044	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 2760	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 2760	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 2760	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 4804	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 4804	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 4804	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 4780	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 4780	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 4780	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 1484	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 1484	2940	cmd.exe	cacls.exe
PID 2940 wrote to memory of 1484	2940	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe
"C:\Users\Admin\AppData\Local\Temp\d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aP28RD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aP28RD.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
4⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:404

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
5⤵
PID:5044

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
5⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4804

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
5⤵
PID:4780

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
5⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dp344ZR.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dp344ZR.exe
2⤵
- Executes dropped EXE
PID:4956

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aP28RD.exe

Filesize
219KB

MD5
7e504fb708d15ee0fecda301c71b1419

SHA1
a9bb242eaa851dd225365679629c04d54116c481

SHA256
5b4b5dc4c74d34e0d27e351e9b0b01162f8ec4155269b2540d6546068c3b66b1

SHA512
96e6ca35a624ce5d9a48202f9ee9c93a879c42969bcbe537619e8784c1557790dedaea91160cea1b4ffbabc03fd034277639ffc0fba8aa2063e6dad41d37dcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dp344ZR.exe

Filesize
221KB

MD5
05d001a237e17bc14f3e7484fb69aee3

SHA1
5983977e147f3fadf6e9f5f4847eddd5bd7278e4

SHA256
e9636a9bcdb3c6f554a50b6a23c91f0acdf7514ccbc48200b59e4a2384c04989

SHA512
6f9163c2e439be5038f7fc35541706b93de07a6f4703b6da3d9b550f35f773eb9310f230f5a615732d9340466bbdb880ff43b7739cce3a78855133c2aabb3871

Download Submit
memory/4956-19-0x00000000000D0000-0x000000000010E000-memory.dmp

Filesize
248KB

Download
memory/4956-20-0x00000000073E0000-0x0000000007984000-memory.dmp

Filesize
5.6MB

Download
memory/4956-21-0x0000000006ED0000-0x0000000006F62000-memory.dmp

Filesize
584KB

Download
memory/4956-22-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

Filesize
40KB

Download
memory/4956-23-0x0000000007FB0000-0x00000000085C8000-memory.dmp

Filesize
6.1MB

Download
memory/4956-24-0x0000000007990000-0x0000000007A9A000-memory.dmp

Filesize
1.0MB

Download
memory/4956-25-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/4956-26-0x00000000072E0000-0x000000000731C000-memory.dmp

Filesize
240KB

Download
memory/4956-27-0x0000000007320000-0x000000000736C000-memory.dmp

Filesize
304KB

Download