amadey | eeddb169e3939f9453f8a81ff716df60201112c9ff138d3c22321eed27032f29

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

298e459c42560a451c2bdd39356986b0N.exe
Size

389KB
MD5

298e459c42560a451c2bdd39356986b0
SHA1

6dd7bcbaa7adb8bee746f16c423d92f762e58434
SHA256

eeddb169e3939f9453f8a81ff716df60201112c9ff138d3c22321eed27032f29
SHA512

113d0a03ce90002a2ac3799ac3ad1ff60fad5b52208f301060ec3c43287258d186ce8eba6dcd152e181593c1653adbde541056400cc1733ccf43b29525d5f393
SSDEEP

12288:6MrTy901JIDCBytzth16htBgBYCNfwZ9o42lY:ZyyJGCeZhoXKzscY

Score

10^/10

amadey healer redline 88c8bb gotad discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

gotad

77.91.124.84:19071

Attributes

auth_value
3fb7c1f3fcf68bc377eae3f6f493a684

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023511-25.dat	healer
behavioral1/memory/904-27-0x0000000000DA0000-0x0000000000DAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	h9039535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h9039535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h9039535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h9039535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h9039535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h9039535.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002350e-30.dat	family_redline
behavioral1/memory/2160-32-0x00000000001A0000-0x00000000001D0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	g4259827.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	pdates.exe

Executes dropped EXE 7 IoCs

pid	Process
5024	x8633975.exe
5056	g4259827.exe
4912	pdates.exe
904	h9039535.exe
2160	i1384907.exe
3312	pdates.exe
3896	pdates.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	h9039535.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	298e459c42560a451c2bdd39356986b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8633975.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	298e459c42560a451c2bdd39356986b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i1384907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8633975.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g4259827.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	h9039535.exe
904	h9039535.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	h9039535.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 5024	680	298e459c42560a451c2bdd39356986b0N.exe	86
PID 680 wrote to memory of 5024	680	298e459c42560a451c2bdd39356986b0N.exe	86
PID 680 wrote to memory of 5024	680	298e459c42560a451c2bdd39356986b0N.exe	86
PID 5024 wrote to memory of 5056	5024	x8633975.exe	87
PID 5024 wrote to memory of 5056	5024	x8633975.exe	87
PID 5024 wrote to memory of 5056	5024	x8633975.exe	87
PID 5056 wrote to memory of 4912	5056	g4259827.exe	89
PID 5056 wrote to memory of 4912	5056	g4259827.exe	89
PID 5056 wrote to memory of 4912	5056	g4259827.exe	89
PID 5024 wrote to memory of 904	5024	x8633975.exe	90
PID 5024 wrote to memory of 904	5024	x8633975.exe	90
PID 4912 wrote to memory of 5080	4912	pdates.exe	91
PID 4912 wrote to memory of 5080	4912	pdates.exe	91
PID 4912 wrote to memory of 5080	4912	pdates.exe	91
PID 4912 wrote to memory of 3424	4912	pdates.exe	93
PID 4912 wrote to memory of 3424	4912	pdates.exe	93
PID 4912 wrote to memory of 3424	4912	pdates.exe	93
PID 3424 wrote to memory of 4504	3424	cmd.exe	95
PID 3424 wrote to memory of 4504	3424	cmd.exe	95
PID 3424 wrote to memory of 4504	3424	cmd.exe	95
PID 3424 wrote to memory of 3240	3424	cmd.exe	96
PID 3424 wrote to memory of 3240	3424	cmd.exe	96
PID 3424 wrote to memory of 3240	3424	cmd.exe	96
PID 3424 wrote to memory of 3432	3424	cmd.exe	97
PID 3424 wrote to memory of 3432	3424	cmd.exe	97
PID 3424 wrote to memory of 3432	3424	cmd.exe	97
PID 3424 wrote to memory of 4520	3424	cmd.exe	98
PID 3424 wrote to memory of 4520	3424	cmd.exe	98
PID 3424 wrote to memory of 4520	3424	cmd.exe	98
PID 3424 wrote to memory of 1424	3424	cmd.exe	99
PID 3424 wrote to memory of 1424	3424	cmd.exe	99
PID 3424 wrote to memory of 1424	3424	cmd.exe	99
PID 3424 wrote to memory of 4708	3424	cmd.exe	100
PID 3424 wrote to memory of 4708	3424	cmd.exe	100
PID 3424 wrote to memory of 4708	3424	cmd.exe	100
PID 680 wrote to memory of 2160	680	298e459c42560a451c2bdd39356986b0N.exe	102
PID 680 wrote to memory of 2160	680	298e459c42560a451c2bdd39356986b0N.exe	102
PID 680 wrote to memory of 2160	680	298e459c42560a451c2bdd39356986b0N.exe	102

C:\Users\Admin\AppData\Local\Temp\298e459c42560a451c2bdd39356986b0N.exe
"C:\Users\Admin\AppData\Local\Temp\298e459c42560a451c2bdd39356986b0N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8633975.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8633975.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4259827.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4259827.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
      "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9039535.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9039535.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1384907.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1384907.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2160

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1384907.exe

Filesize
172KB

MD5
f2120163556c76e18257c66751aa684f

SHA1
cbf8f21914041172ed0d25395a4de3a3ca2e84a6

SHA256
8e777fe91da4bc8c586f39d8fa2d7f8b8166d887318505c51acfb3d86ca28674

SHA512
f27b7c896c016c10e4eef37f08b4db75cac3f512af90f434dc59fbbcaf631fd313a37bd68b7e956d209996e0342fe09c1ae622eb7c08ad76eb523098428fdaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8633975.exe

Filesize
234KB

MD5
8d927963ae64da42a27ea4bf9d869b35

SHA1
71cf14db3e16b74ec1e2bdd85905b235599919b1

SHA256
201ac82995a3bb5c00180f9aa178ef141c7e932e55a8764dcf68140531424ca0

SHA512
09b9e4f6cf181285346d25fa8c024bbe5f5ded1abc7999fced1f40f4498cf4e0d7e63fc659b39da59dda9f59f592d3060db27e6d63d5298f25d2a71f52c7d013

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4259827.exe

Filesize
223KB

MD5
aea234064483f651010cf9d981f59fea

SHA1
002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6

SHA256
58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503

SHA512
eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9039535.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/904-27-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/2160-32-0x00000000001A0000-0x00000000001D0000-memory.dmp

Filesize
192KB

Download
memory/2160-33-0x0000000004C00000-0x0000000004C06000-memory.dmp

Filesize
24KB

Download
memory/2160-34-0x000000000A620000-0x000000000AC38000-memory.dmp

Filesize
6.1MB

Download
memory/2160-35-0x000000000A150000-0x000000000A25A000-memory.dmp

Filesize
1.0MB

Download
memory/2160-36-0x000000000A090000-0x000000000A0A2000-memory.dmp

Filesize
72KB

Download
memory/2160-37-0x000000000A0F0000-0x000000000A12C000-memory.dmp

Filesize
240KB

Download
memory/2160-38-0x00000000024A0000-0x00000000024EC000-memory.dmp

Filesize
304KB

Download