amadey | ac848e3af9a5738ef6791dafa2a763a7718c25f1df48a6430827cabe9a5d68f2

General

Target

file.exe
Size

1.9MB
MD5

48d34a4ac51f1a89e010b64fa8cfdcc2
SHA1

ef2a194fbb28562afc735ae4ee74429521ef9105
SHA256

ac848e3af9a5738ef6791dafa2a763a7718c25f1df48a6430827cabe9a5d68f2
SHA512

63fd4531148ca40fa60997692a79e678dcbc032153204cbb591831478aaee70cdde3b7568b8fdae12f995beb84c687bbcf23e094b2fa5e588bb531f0f7a50b28
SSDEEP

49152:Zzuatph4L2H+Ug2sf77jALl77nXmwDdRAbh0SbTPsAEpKE:duqph4L2exT7MB77nXmwI7cF

Score

10^/10

amadey redline fed3aa livetraffic discovery evasion infostealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.250.45:26212

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1772-34-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 3 IoCs

pid	Process
4048	axplong.exe
3500	gold.exe
4936	12dsvc.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	axplong.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
32	file.exe
4048	axplong.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3500 set thread context of 1772	3500	gold.exe	74

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12dsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
32	file.exe
32	file.exe
4048	axplong.exe
4048	axplong.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
32	file.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 4048	32	file.exe	71
PID 32 wrote to memory of 4048	32	file.exe	71
PID 32 wrote to memory of 4048	32	file.exe	71
PID 4048 wrote to memory of 3500	4048	axplong.exe	72
PID 4048 wrote to memory of 3500	4048	axplong.exe	72
PID 4048 wrote to memory of 3500	4048	axplong.exe	72
PID 3500 wrote to memory of 1772	3500	gold.exe	74
PID 3500 wrote to memory of 1772	3500	gold.exe	74
PID 3500 wrote to memory of 1772	3500	gold.exe	74
PID 3500 wrote to memory of 1772	3500	gold.exe	74
PID 3500 wrote to memory of 1772	3500	gold.exe	74
PID 3500 wrote to memory of 1772	3500	gold.exe	74
PID 3500 wrote to memory of 1772	3500	gold.exe	74
PID 3500 wrote to memory of 1772	3500	gold.exe	74
PID 4048 wrote to memory of 4936	4048	axplong.exe	75
PID 4048 wrote to memory of 4936	4048	axplong.exe	75
PID 4048 wrote to memory of 4936	4048	axplong.exe	75

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
    3⤵
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

Filesize
128KB

MD5
489dd8c4bde7106229eb0c87da8bfa85

SHA1
84ca581d91b1433a7bd555d25249733b2500ba74

SHA256
9173b11073bb42b7ed71610c6d7a08ef928e0fdc76ee2c93a9be4bff169c0b71

SHA512
a7e373b43e3cee26ce1b61c7bcfbca2e2d03b2e7dec5502c1b6a0dcf6568112c086361990515e84c8eb35105d2e780b60ca32bd757cda48f4b8c407265031ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
312KB

MD5
389881b424cf4d7ec66de13f01c7232a

SHA1
d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

SHA256
9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

SHA512
2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

Filesize
1.1MB

MD5
6c9e7815208530b2574368f8a70e5790

SHA1
61d5d998abbbfe9c6efd9d38b8c99a3b48f8a7de

SHA256
c0f8b5afad6fab4136affd308519c36e3779d597413d00e79e7f939bd7bae782

SHA512
013b6ce1104d05cdd4587197c4e177ef13409db9c81084551450674833d3876a050035a4545a647a257538a2cb44aafaada534c9bfe8e2b5bcf6a9f2dcff134d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.9MB

MD5
48d34a4ac51f1a89e010b64fa8cfdcc2

SHA1
ef2a194fbb28562afc735ae4ee74429521ef9105

SHA256
ac848e3af9a5738ef6791dafa2a763a7718c25f1df48a6430827cabe9a5d68f2

SHA512
63fd4531148ca40fa60997692a79e678dcbc032153204cbb591831478aaee70cdde3b7568b8fdae12f995beb84c687bbcf23e094b2fa5e588bb531f0f7a50b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1A1.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
memory/32-1-0x0000000077D84000-0x0000000077D85000-memory.dmp

Filesize
4KB

Download
memory/32-2-0x0000000000941000-0x000000000096F000-memory.dmp

Filesize
184KB

Download
memory/32-3-0x0000000000940000-0x0000000000E22000-memory.dmp

Filesize
4.9MB

Download
memory/32-5-0x0000000000940000-0x0000000000E22000-memory.dmp

Filesize
4.9MB

Download
memory/32-14-0x0000000000940000-0x0000000000E22000-memory.dmp

Filesize
4.9MB

Download
memory/32-0-0x0000000000940000-0x0000000000E22000-memory.dmp

Filesize
4.9MB

Download
memory/1772-34-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1772-96-0x0000000008AE0000-0x0000000008B2B000-memory.dmp

Filesize
300KB

Download
memory/1772-37-0x0000000005B10000-0x000000000600E000-memory.dmp

Filesize
5.0MB

Download
memory/1772-39-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/1772-90-0x0000000008920000-0x0000000008932000-memory.dmp

Filesize
72KB

Download
memory/1772-50-0x00000000055C0000-0x00000000055CA000-memory.dmp

Filesize
40KB

Download
memory/1772-88-0x0000000007170000-0x0000000007776000-memory.dmp

Filesize
6.0MB

Download
memory/1772-83-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/1772-77-0x0000000006210000-0x0000000006286000-memory.dmp

Filesize
472KB

Download
memory/3500-31-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/4048-15-0x00000000008E0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/4048-16-0x00000000008E0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/4048-17-0x00000000008E0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/4048-18-0x00000000008E0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/4048-13-0x00000000008E0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/4936-52-0x0000000000890000-0x00000000009A6000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads