amadey | 033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfaf

Analysis

max time kernel
112s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe
Size

456KB
MD5

bfd492a1859477f0e0ad10de1f1a3150
SHA1

46b076da179595cf50136a866694b49cbb9988f2
SHA256

033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfaf
SHA512

24f4d7f190d269cdb043ecc303bbef483d88f0a12a47a9d6e03f6554f105443a6af2c00a5abd17a787e5128b917d266e67b23b57ace073da37000ffa9fe2aea5
SSDEEP

12288:bMr1y90xYjUbgQy0kgHq3FazVCXSTljWvXeY:KyuV1/3I46ShOOY

Score

10^/10

amadey healer redline fb0fb8 jokes discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

jokes

77.91.124.82:19071

Attributes

auth_value
fb7b36b70ae30fb2b72f789037350cdb

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/3464-14-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cab-29.dat	family_redline
behavioral1/memory/1300-31-0x0000000000D60000-0x0000000000D90000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	r9561632.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 7 IoCs

pid	Process
3388	z3026181.exe
3440	q7861844.exe
1200	r9561632.exe
1240	explonde.exe
1300	s8971849.exe
1008	explonde.exe
2980	explonde.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3026181.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3440 set thread context of 3464	3440	q7861844.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3912	3440	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s8971849.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z3026181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q7861844.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r9561632.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explonde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3464	AppLaunch.exe
3464	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3464	AppLaunch.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3388	1600	033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe	84
PID 1600 wrote to memory of 3388	1600	033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe	84
PID 1600 wrote to memory of 3388	1600	033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe	84
PID 3388 wrote to memory of 3440	3388	z3026181.exe	85
PID 3388 wrote to memory of 3440	3388	z3026181.exe	85
PID 3388 wrote to memory of 3440	3388	z3026181.exe	85
PID 3440 wrote to memory of 3464	3440	q7861844.exe	86
PID 3440 wrote to memory of 3464	3440	q7861844.exe	86
PID 3440 wrote to memory of 3464	3440	q7861844.exe	86
PID 3440 wrote to memory of 3464	3440	q7861844.exe	86
PID 3440 wrote to memory of 3464	3440	q7861844.exe	86
PID 3440 wrote to memory of 3464	3440	q7861844.exe	86
PID 3440 wrote to memory of 3464	3440	q7861844.exe	86
PID 3440 wrote to memory of 3464	3440	q7861844.exe	86
PID 3388 wrote to memory of 1200	3388	z3026181.exe	93
PID 3388 wrote to memory of 1200	3388	z3026181.exe	93
PID 3388 wrote to memory of 1200	3388	z3026181.exe	93
PID 1200 wrote to memory of 1240	1200	r9561632.exe	94
PID 1200 wrote to memory of 1240	1200	r9561632.exe	94
PID 1200 wrote to memory of 1240	1200	r9561632.exe	94
PID 1600 wrote to memory of 1300	1600	033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe	95
PID 1600 wrote to memory of 1300	1600	033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe	95
PID 1600 wrote to memory of 1300	1600	033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe	95
PID 1240 wrote to memory of 5016	1240	explonde.exe	96
PID 1240 wrote to memory of 5016	1240	explonde.exe	96
PID 1240 wrote to memory of 5016	1240	explonde.exe	96
PID 1240 wrote to memory of 3412	1240	explonde.exe	98
PID 1240 wrote to memory of 3412	1240	explonde.exe	98
PID 1240 wrote to memory of 3412	1240	explonde.exe	98
PID 3412 wrote to memory of 3312	3412	cmd.exe	100
PID 3412 wrote to memory of 3312	3412	cmd.exe	100
PID 3412 wrote to memory of 3312	3412	cmd.exe	100
PID 3412 wrote to memory of 2248	3412	cmd.exe	101
PID 3412 wrote to memory of 2248	3412	cmd.exe	101
PID 3412 wrote to memory of 2248	3412	cmd.exe	101
PID 3412 wrote to memory of 3988	3412	cmd.exe	102
PID 3412 wrote to memory of 3988	3412	cmd.exe	102
PID 3412 wrote to memory of 3988	3412	cmd.exe	102
PID 3412 wrote to memory of 2492	3412	cmd.exe	103
PID 3412 wrote to memory of 2492	3412	cmd.exe	103
PID 3412 wrote to memory of 2492	3412	cmd.exe	103
PID 3412 wrote to memory of 3452	3412	cmd.exe	104
PID 3412 wrote to memory of 3452	3412	cmd.exe	104
PID 3412 wrote to memory of 3452	3412	cmd.exe	104
PID 3412 wrote to memory of 4036	3412	cmd.exe	105
PID 3412 wrote to memory of 4036	3412	cmd.exe	105
PID 3412 wrote to memory of 4036	3412	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe
"C:\Users\Admin\AppData\Local\Temp\033a58da23f541292cd011b98a8cd621a4230c9f86d6d731537b893ee1e3cfafN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3026181.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3026181.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q7861844.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q7861844.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 552
      4⤵
      Program crash
      PID:3912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9561632.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9561632.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8971849.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8971849.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3440 -ip 3440
1⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1008

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8971849.exe

Filesize
174KB

MD5
b9465390c7709cf52ab8797ab9ae0d66

SHA1
bc4550ebe76c364ffb295cb7ac3c7361448d6094

SHA256
05fb9644845cebe1c679506a94714e6b00e7152c17130aad338e79f35d570dbe

SHA512
95ee21ae771aa147fba28c12f80e60d3bef589309517d4a41098e58b3ff9c931206a0e54e3d5dfbbfa710b658e6c2ac2064435d15e2c86f4302953391f074ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3026181.exe

Filesize
301KB

MD5
7936b7cbcea5ff99a4513517118de395

SHA1
526ab76769598946d8521c222fae9ca772d5ba83

SHA256
634abdd3cfa78529a5b268c8d244ae714baa84b4868f82c2f28492b4e6f929fd

SHA512
e4fc455a2f88b01825c9cec20414b265dbcec394bd4f5aa33d4774e8e114b94b29264605f38f398fe48a602013bda188408f17fbaddddb58187ca1ff4f4b34be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q7861844.exe

Filesize
190KB

MD5
68996fb67004618f00eb1116c932b195

SHA1
cecfbc2ceea95f10b0c77938dd1e0b4eac1b9533

SHA256
870b1b797cdfc2afd7f1a468be8ea03777839662ae955c661f6e47dc793bfa84

SHA512
5172dd8a95eab03e3b841b17fbd2090d155c1e77b778f805174a8411d7c1d6aabbf3a7858c0073e95fbb5bf5bcc5fb1350fa9368893f7642aa6daad02552dabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9561632.exe

Filesize
222KB

MD5
d8bbe90838a926837d9f7970bd434005

SHA1
931c65ea852ae7ab47e789860d939a475773427a

SHA256
a3c901ff3909606fe5f3341fcecf3a6fac17674d7e1ab7a347909e31d28af74f

SHA512
e95f8a2ab52fe265b0463a3fd66e1a519711e61c06bfbc995a1529c9635acb1d97b1d3cf8539530e0b34798f0ac83be604341d3eb9ed1f55c5cfc73ebc48fb4d

Download Submit
memory/1300-34-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/1300-31-0x0000000000D60000-0x0000000000D90000-memory.dmp

Filesize
192KB

Download
memory/1300-32-0x0000000002F60000-0x0000000002F66000-memory.dmp

Filesize
24KB

Download
memory/1300-33-0x0000000005D60000-0x0000000006378000-memory.dmp

Filesize
6.1MB

Download
memory/1300-35-0x00000000055D0000-0x00000000055E2000-memory.dmp

Filesize
72KB

Download
memory/1300-36-0x0000000005740000-0x000000000577C000-memory.dmp

Filesize
240KB

Download
memory/1300-37-0x0000000005780000-0x00000000057CC000-memory.dmp

Filesize
304KB

Download
memory/3464-15-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

Filesize
4KB

Download
memory/3464-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3464-38-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

Filesize
4KB

Download