Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-ec2jrsxaqd
Target f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6
SHA256 f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6
Tags
amadey healer redline f9a925 discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6

Threat Level: Known bad

The file f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline f9a925 discovery dropper evasion infostealer persistence trojan

Healer family

Amadey

Detects Healer an antivirus disabler dropper

Healer

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Amadey family

RedLine

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:48

Reported

2024-11-09 03:51

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l8726619.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe
PID 2188 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe
PID 2188 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe
PID 2184 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe
PID 2184 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe
PID 2184 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe
PID 2184 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe
PID 2184 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe
PID 1584 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
PID 1584 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
PID 1584 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
PID 2188 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l8726619.exe
PID 2188 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l8726619.exe
PID 2188 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l8726619.exe
PID 3680 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3680 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3680 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3680 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe

"C:\Users\Admin\AppData\Local\Temp\f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l8726619.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l8726619.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\c3912af058" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\c3912af058" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.20:80 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.20:80 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.20:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.20:80 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.20:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8464590.exe

MD5 72ebee63979699073bcbca2ef6494726
SHA1 1d657628c59bca69b7ca7804e1406ddcdc06d4f3
SHA256 acca0f795db10cbd04f46c383c81a25d482b8d9e211370c86fb522916d7636a9
SHA512 e07bc44a9fdc802891cf748720dc0bad00a272e5c0e18ea414907f0a9ba48626022611ebc33e575ec8eb959aebe7f7bc011ca689062a1ec1660b59c419e7847f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5761768.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4916-14-0x00007FFD0A653000-0x00007FFD0A655000-memory.dmp

memory/4916-15-0x00000000002D0000-0x00000000002DA000-memory.dmp

memory/4916-16-0x00007FFD0A653000-0x00007FFD0A655000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3075491.exe

MD5 c14869045ea50a4368e015350d349b81
SHA1 f0515e00463d02b8cd9404a0b2b4ba21e2155fac
SHA256 454da82a4921c2826b942421cfd4c066242abbb6bb079f9be478c10026640196
SHA512 14456e2d4be1670573d3dd9c3cac91317c52f7dc4c9e5632bfae7f19cc6e073adb2a5a55ee8e7f920f3b4fabd2e95082f0a5650190aad9b0663450fa583dee22

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l8726619.exe

MD5 0755e15fde4a26c3ca4165495ef7a5c3
SHA1 10af567db71c7da26088998e3acdd6703c947a81
SHA256 54be5f469fad0c82838f15fb99ff3c3a5bf1e9a5333081a9389c67a027498b53
SHA512 a54e6777da55bc82b0e526a2f34d7b50a57f170eeb9bbfcc27eca258911d8ba26eab9995a37694e0f4f8aeb1b9b280518b46e0f240a8c745f6f15c94071a3ff8

memory/384-34-0x0000000000BF0000-0x0000000000C18000-memory.dmp

memory/384-35-0x0000000008020000-0x0000000008638000-memory.dmp

memory/384-36-0x0000000007A90000-0x0000000007AA2000-memory.dmp

memory/384-37-0x0000000007BC0000-0x0000000007CCA000-memory.dmp

memory/384-38-0x0000000007B10000-0x0000000007B4C000-memory.dmp

memory/384-39-0x0000000003040000-0x000000000308C000-memory.dmp