amadey | d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

General

Target

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Size

424KB
MD5

13e5872e9b7c47090e035dc228c5589f
SHA1

c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512

260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
SSDEEP

6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz

Score

10^/10

amadey redline discovery infostealer spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000003001\build.exe	family_redline
behavioral2/memory/4820-39-0x0000000000DA0000-0x0000000000E0E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exeHkbsse.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Hkbsse.exe

Executes dropped EXE 4 IoCs

Processes:

Hkbsse.exebuild.exeHkbsse.exeHkbsse.exe

pid process

4392 Hkbsse.exe
4820 build.exe
2916 Hkbsse.exe
1572 Hkbsse.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 1 IoCs

Processes:

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

build.exe

pid process

4820 build.exe

pid	process
4392	Hkbsse.exe
4820	build.exe
2916	Hkbsse.exe
1572	Hkbsse.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe

pid	process
4820	build.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

build.exe

description	pid	process
Token: SeDebugPrivilege	4820	build.exe
Token: SeBackupPrivilege	4820	build.exe
Token: SeSecurityPrivilege	4820	build.exe
Token: SeSecurityPrivilege	4820	build.exe
Token: SeSecurityPrivilege	4820	build.exe
Token: SeSecurityPrivilege	4820	build.exe
Token: SeBackupPrivilege	4820	build.exe
Token: SeSecurityPrivilege	4820	build.exe
Token: SeSecurityPrivilege	4820	build.exe
Token: SeSecurityPrivilege	4820	build.exe
Token: SeSecurityPrivilege	4820	build.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exeHkbsse.exe

description	pid	process	target process
PID 1424 wrote to memory of 4392	1424	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 1424 wrote to memory of 4392	1424	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 1424 wrote to memory of 4392	1424	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 4392 wrote to memory of 4820	4392	Hkbsse.exe	build.exe
PID 4392 wrote to memory of 4820	4392	Hkbsse.exe	build.exe
PID 4392 wrote to memory of 4820	4392	Hkbsse.exe	build.exe

C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
"C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\1000003001\build.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\build.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\080292272204

Filesize
76KB

MD5
1aa666a3b16b482107ebd63e1acc4adc

SHA1
413f8798c367f421697a682e2afd97a96b02e061

SHA256
058f09c994f8daee3cb2e0e07dc3eb9ba8f68723d24bea689553952dfded6851

SHA512
d476069bf4e6abb00772ea632ba11d63401a1fb2f43ad403e9c8c99a2c472f2d9a55105049f26fc21117183a53850701fe32485a3b4d0be98182b98d3d81abb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\build.exe

Filesize
420KB

MD5
e59cb9f032187838b2be9823757bb85a

SHA1
e42f9772116fe6bffccc64897654a87774bdd372

SHA256
77d7ec4c54e6db91a4562c59472d659c3768dda653cf396443187087a3a61b1b

SHA512
584ab75c10f71b77f3a69cb8bc412c8c5edc03cb195c70d2f3f9d32950c5a18d692e250dbc53af00125e860815815caba9776838b49a78b4fcd6a7f4447b666f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe

Filesize
424KB

MD5
13e5872e9b7c47090e035dc228c5589f

SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760

SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e

Download Submit
memory/4820-45-0x0000000008F80000-0x0000000009598000-memory.dmp

Filesize
6.1MB

Download
memory/4820-47-0x00000000089D0000-0x00000000089E2000-memory.dmp

Filesize
72KB

Download
memory/4820-40-0x0000000072D60000-0x0000000073510000-memory.dmp

Filesize
7.7MB

Download
memory/4820-41-0x00000000032A0000-0x00000000032C0000-memory.dmp

Filesize
128KB

Download
memory/4820-42-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/4820-43-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/4820-44-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/4820-38-0x0000000072D6E000-0x0000000072D6F000-memory.dmp

Filesize
4KB

Download
memory/4820-46-0x0000000008AB0000-0x0000000008BBA000-memory.dmp

Filesize
1.0MB

Download
memory/4820-39-0x0000000000DA0000-0x0000000000E0E000-memory.dmp

Filesize
440KB

Download
memory/4820-48-0x0000000008A30000-0x0000000008A6C000-memory.dmp

Filesize
240KB

Download
memory/4820-49-0x0000000008BC0000-0x0000000008C0C000-memory.dmp

Filesize
304KB

Download
memory/4820-50-0x0000000072D6E000-0x0000000072D6F000-memory.dmp

Filesize
4KB

Download
memory/4820-51-0x0000000072D60000-0x0000000073510000-memory.dmp

Filesize
7.7MB

Download
memory/4820-55-0x0000000008F00000-0x0000000008F66000-memory.dmp

Filesize
408KB

Download
memory/4820-56-0x0000000009A20000-0x0000000009A96000-memory.dmp

Filesize
472KB

Download
memory/4820-57-0x00000000099C0000-0x00000000099DE000-memory.dmp

Filesize
120KB

Download
memory/4820-58-0x000000000ACE0000-0x000000000AEA2000-memory.dmp

Filesize
1.8MB

Download
memory/4820-59-0x000000000B3E0000-0x000000000B90C000-memory.dmp

Filesize
5.2MB

Download
memory/4820-61-0x0000000072D60000-0x0000000073510000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads