9
mins read

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Author image
Mehardeep Singh Sawhney
July 28, 2023
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization

Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category: Malware Intelligence

Type/Family: 

AV Disabler/Healer
Botnet/Amadey
Stealer/RedLine

Industry: Multiple

Region: Global

Executive Summary

THREAT

  • New Healer AV disabler being utilized by Amadey botnet in order to disable Microsoft Defender.
  • Redline stealer dropped on target systems.
  • Target systems infected with Amadey botnet.

IMPACT

  • Microsoft Defender is permanently disabled on target.
  • Microsoft Auto-Update is disabled, restricting targets to get latest security patches.
  • Redline infostealer deployed to steal sensitive information.
  • Threat actors gain full control of target systems using Amadey bot.

MITIGATION

  • Keep assets updated with the latest Microsoft security patch.
  • Use strong anti-malware software and practices.

Analysis and Campaign Overview

CloudSEK’s threat intelligence team has a Microsoft Defender antivirus (AV) disabler named Healer.exe . The executable was found on Tria.ge, and the tag given by Tria.ge for this executable is Healer

Healer tag seen in Amadey and Redline samples

Upon further investigation of the executable. It was found that this executable is a part of an on-going multi-stage Amadey Botnet campaign, that also drops the infamous Redline infostealer on target systems. However, the attack does not begin with this executable.

Campaign Overview

An overview of the stages of the attack (most popular instances)

Stage 1: Dropper no. 1 (.EXE) is deployed on the system, and has two EXEs embedded within itself. Drops the two executables on the system.

Stage 2: Dropper no. 2 (.EXE) serves as a dropper for two more executables; Healer.exe (Microsoft Defender disabler) and RedLine infostealer.

Stage 3: Dropper no. 3 (.EXE) drops the Amadey executable and executes it on the system

It should be noted that there were slight variations seen from campaign to campaign (for eg. one extra dropper being used in one of the stages, or different file dropping order), but the attack flow remains very similar. The example campaign used for technical analysis follows a different order for dropping files.

Technical Analysis

Stage 1 - Dropper no. 1 (Drops Second Stage Dropper)

The campaign starts off with the deployment of dropper no. 1 on the target system. This file is most often  a PE32 C++ executable, with the original name WEXTRACT.EXE.MUI. The file description states that this file is a “Win32 Cabinet Self-Extractor”, which indicates that this binary may have embedded binaries within its resources. The copyright also states that this file is owned by Microsoft.

Original file details

Taking a look at the resources section of this executable confirms our suspicions of embedded binaries. We can see that the binary contains a Cabinet (.CAB) file within the section. The Microsoft Cabinet file format is an archive file format used to store compressed files within itself. We can also see that the .rsrc section occupies 91.41 percent of the file size.

Cabinet file within resources section

We can see that the Cabinet file contains two executables that are stored within the archive.

Files stored within the Cabinet

We the order of execution of those files by looking at the “RUNPROGRAM” and “POSTRUNPROGRAM” attributes. The executable name specified in “RUNPROGRAM” will be executed first, and after that the executable name specified in “POSTRUNPROGRAM” will be executed.

The order of execution of the programs

The executables are dropped in a newly created directory in C:\Users\[Username]\AppData\Local\Temp\ in a similar fashion to that shown below.

Executable drop location

Stage 2 - Dropper no. 2 (Healer and Amadey)

Contrary to the diagram shared in Campaign Overview, the files associated with this campaign being used for technical analysis will first be Amadey and Healer.exe using dropper no. 2. The second stage dropper also operates in the same fashion as the first stage dropper, in that it uses a Cabinet to drop its executables.

Same filename and description as the first dropper

Cabinet containing two more executables

The executables are dropped in the same path under a different directory. The file executed first (in this case g8262924.exe) is a dropper for Amadey, and drops it in a new directory stored in the path C:\Users\[Username]\AppData\Temp\. Healer.exe is executed after Amadey.

Amadey executable

Amadey

Amadey is a botnet family that allows a threat actor to gain full access to a target system. Amadey has its own C2 panel, in-built Infostealer module, and cryptocurrency transaction interceptor module. The executable comes in the form of a PE32 C++ binary.

Upon execution, there is a long process chain formed. Essentially, Amadey starts off by:

  • Creating a Startup registry entry in order to make it so that Amadey runs every time a user logs on.
  • Creating a scheduled task that runs the Amadey binary every minute using the command “C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 1 /TN amadey.exe /TR “C:\Users\[Username]\AppData\Local\Temp\5eb6b96734\amadey.exe” /F.
  • Changing the rights for the username “Test”, making it so that the Amadey binary cannot be written to or deleted, but only read. The command used is CACLS  ”mnolyk.exe” /P “test:R” /E.

Them, Amadey initiates a connection with the C2 server by sending out an HTTP POST request. This request contains information about the current target. Information such as Amadey Bot identification details, target PC and OS information, target username, etc.

Amadey initial C2 communication

After a connection with the C2 server has been successfully made, Amadey fetches two malicious DLLs from the C2 server, namely cred64.dll and clip64.dll. It does this by initiating an HTTP GET request.

An example of Amadey downloading clip64.dll from the C2 server

Cred64.dll, the in-built infostealer module, will attempt to steal saved credentials from browsers and information from cryptocurrency wallets. Some of the target applications include Google Chrome, Microsoft Edge, Opera, Electrum, Monero and Litecoin. Data is exfiltrated using HTTP POST requests.

Clip64.dll, the module responsible for intercepting cryptocurrency transactions, steals cryptocurrency from its victims by replacing the intended recipient wallet address with the threat actor’s wallet address. It does this by replacing anything stored in the clipboard with that wallet address.

Amadey has also been seen to be used as a Malware downloader. Threat actors are known to deploy many popular Infostealer families such as Vidar and Redline, along with other type of Malware using Amadey.

Healer.exe (Microsoft Defender disabler)

Post the execution of Amadey in this campaign, the second binary (in this case, h6920491.exe) is executed on the system. The file is a PE32 .NET Assembly, which is of the original name Healer.exe with description Healer.

 Basic file information

By making changes to registry entries, this disabler permanently disables Microsoft Defender and its Anti-Spyware measures, along with disabling Windows automatic updates, so that the target does not get latest security patches, and does not restart unexpectedly.

Registry changes made by Healer

User unable to make changes to Defender settings

Important Registry Changes

Registry Path

Value 

Meaning

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection 

0

Allows the executable to make changes to Microsoft Defender settings through registry or other means.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

1

Disable Microsoft Antivirus.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviourMonitoring

1

Disable real-time behavior monitoring.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

1

Disable Microsoft Office antivirus protection.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

1

Disable monitoring of file activity on the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring

1

Disable real-time monitoring.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

1

Disable real-time process scanning.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications

1

Disable Microsoft Defender notifications.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions

2

Disable Windows Automatic Updates.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdates

0

Disables the automatic installation of minor updates.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

1

Disable automatic update.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers

1

Disable automatic reboot when users are logged on.


In most instances of this campaign observed, Healer.exe is executed before the deployment of Amadey/Redline. This also makes sense logically, since the threat actor would want to disable security measures in order to ensure flawless deployment and execution of the further stages. 

The fact that in this case, Healer is deployed after Amadey leads us to believe that this may be an error made by the threat actor associated with this specific campaign.

Stage 3 - Dropper no. 1 (Drops Redline)

Lastly, the second file dropped by the first stage dropper (in this case, j3096141.exe) is executed. This is a variant of the Redline Infostealer. It comes in the form of a PE32 .NET assembly, and has the capability of saving saved credentials, cookies, and other information from multiple popular browsers and cryptocurrency wallets. 

You can read more about the Redline Infostealer in our technical analysis report here.

An example of Redline’s configuration

Indicators of Compromise (IoCs)



SHA256

80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376

d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800

1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5

850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2

021ae2fadbc8bc4e83013de03902e6e97c2815ab821adaa58037e562a6b2357b

aab1460440bee10e2efec9b5c83ea20ed85e7a17d4ed3b4a19341148255d54b1

54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc

0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f

ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41

cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8

3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

35E5DF856FEE7AAB059E2B80D3A2FC9207CBE3882B3626FAB11F34EA3383F043

4E1377F9874F333DCB0B1B758E3131949E667FC39AADF3091E4E3B7CDBAEEF1D

91FDA0FD32F0E8FD120E767235C58C189F6CC3119D06A813E1C642AB95F28C10

4E1377F9874F333DCB0B1B758E3131949E667FC39AADF3091E4E3B7CDBAEEF1D

850CD190AAEEBCF1505674D97F51756F325E650320EAF76785D954223A9BEE38


IPv4

224.0.0.252

77.91.68.3

77.91.68.68

193.233.20.7

62.204.41.5

62.204.41.251

193.233.20.11


URLs

http://77.91.68.3/home/love/Plugins/cred64.dll

http://77.91.68.3/home/love/index.php

http://77.91.68.3/home/love/Plugins/clip64.dll

http://62.204.41.5/Bu58Ngs/Plugins/cred64.dll

http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll

http://62.204.41.5/Bu58Ngs/index.php


Yara Rules

Amadey


rule win_amadey_a9f4 {

    meta:
        author                    = "Johannes Bader"
        date                      = "2022-11-17"
        description               = "matches unpacked Amadey samples"
        hash_md5                  = "25cfcfdb6d73d9cfd88a5247d4038727"
        hash_sha1                 = "912d1ef61750bc622ee069cdeed2adbfe208c54d"
        hash_sha256               = "03effd3f94517b08061db014de12f8bf01166a04e93adc2f240a6616bb3bd29a"
        malpedia_family           = "win.amadey"
        tlp                       = "TLP:WHITE"
        version                   = "v1.0"
        yarahub_author_email      = "[email protected]"
        yarahub_author_twitter    = "@viql"
        yarahub_license           = "CC BY-SA 4.0"
        yarahub_reference_md5     = "25cfcfdb6d73d9cfd88a5247d4038727"
        yarahub_rule_matching_tlp = "TLP:WHITE"
        yarahub_rule_sharing_tlp  = "TLP:WHITE"
        yarahub_uuid              = "a9f41cd4-3f67-42fc-b310-e9b251c95fe4"

    strings:
        $pdb  = "\\Amadey\\Release\\Amadey.pdb"
        /*  Amadey uses multiple hex strings to decrypt the strings, C2 traffic
            and as identification. The preceeding string 'stoi ...' is added to
            improve performance.
        */
        $keys = /stoi argument out of range\x00\x00[a-f0-9]{32}\x00{1,16}[a-f0-9]{32}\x00{1,4}[a-f0-9]{6}\x00{1,4}[a-f0-9]{32}\x00/

    condition:
        uint16(0) == 0x5A4D and
        (
            $pdb or $keys
        )
}

rule win_amadey_auto {

meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.amadey."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"

/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/

strings:
$sequence_0 = { 8945f4 837df408 744f 8d85e8fdffff 890424 e8???????? c70424???????? }
// n = 7, score = 700
//   8945f4               | mov                 dword ptr [ebp - 0xc], eax
//   837df408             | cmp                 dword ptr [ebp - 0xc], 8
//   744f                 | je                  0x51
//   8d85e8fdffff         | lea                 eax, [ebp - 0x218]
//   890424               | mov                 dword ptr [esp], eax
//   e8????????           |                     
//   c70424????????       |                     

$sequence_1 = { c745fc00000000 e8???????? 84c0 750c c7042401000000 e8???????? e8???????? }
// n = 7, score = 700
//   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
//   e8????????           |                     
//   84c0                 | test                al, al
//   750c                 | jne                 0xe
//   c7042401000000       | mov                 dword ptr [esp], 1
//   e8????????           |                     
//   e8????????           |                     

$sequence_2 = { 89442404 891424 e8???????? 85c0 7510 8b45fc 40 }
// n = 7, score = 700
//   89442404             | mov                 dword ptr [esp + 4], eax
//   891424               | mov                 dword ptr [esp], edx
//   e8????????           |                     
//   85c0                 | test                eax, eax
//   7510                 | jne                 0x12
//   8b45fc               | mov                 eax, dword ptr [ebp - 4]
//   40                   | inc                 eax

$sequence_3 = { 890424 e8???????? c7042400000000 e8???????? 81c424040000 }
// n = 5, score = 700
//   890424               | mov                 dword ptr [esp], eax
//   e8????????           |                     
//   c7042400000000       | mov                 dword ptr [esp], 0
//   e8????????           |                     
//   81c424040000         | add                 esp, 0x424

$sequence_4 = { e8???????? 8945f4 837df40a 0f842e010000 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df40a             | cmp                 dword ptr [ebp - 0xc], 0xa
            //   0f842e010000         | je                  0x134

        $sequence_5 = { e8???????? c7442404???????? 8b4508 890424 e8???????? 85c0 7e75 }
            // n = 7, score = 700
            //   e8????????           |                     
            //   c7442404????????     |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7e75                 | jle                 0x77

        $sequence_6 = { 890424 e8???????? c7042401000000 e8???????? 89442404 8d85e8fbffff 890424 }
            // n = 7, score = 700
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   e8????????           |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d85e8fbffff         | lea                 eax, [ebp - 0x418]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_7 = { e8???????? 8b4508 c60000 c9 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c60000               | mov                 byte ptr [eax], 0
            //   c9                   | leave               

        $sequence_8 = { 68???????? e8???????? 8d4dcc e8???????? 83c418 }
            // n = 5, score = 500
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_9 = { 83fa10 722f 8b8d78feffff 42 8bc1 81fa00100000 7214 }
            // n = 7, score = 500
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8d78feffff         | mov                 ecx, dword ptr [ebp - 0x188]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx
            //   81fa00100000         | cmp                 edx, 0x1000
            //   7214                 | jb                  0x16

        $sequence_10 = { 52 51 e8???????? 83c408 8b955cfeffff }
            // n = 5, score = 400
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b955cfeffff         | mov                 edx, dword ptr [ebp - 0x1a4]

        $sequence_11 = { 50 68???????? 83ec18 8bcc 68???????? }
            // n = 5, score = 400
            //   50                   | push                eax
            //   68????????           |                     
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp
            //   68????????           |                     

        $sequence_12 = { 8b7dfc 8d4201 3bcb 7ccb 837e1410 }
            // n = 5, score = 400
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   8d4201               | lea                 eax, [edx + 1]
            //   3bcb                 | cmp                 ecx, ebx
            //   7ccb                 | jl                  0xffffffcd
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
-- contd--
 ---contd----
        $sequence_13 = { 83c408 8b554c c7453000000000 c745340f000000 c6452000 83fa10 0f8204ffffff }
            // n = 7, score = 400
            //   83c408               | add                 esp, 8
            //   8b554c               | mov                 edx, dword ptr [ebp + 0x4c]
            //   c7453000000000       | mov                 dword ptr [ebp + 0x30], 0
            //   c745340f000000       | mov                 dword ptr [ebp + 0x34], 0xf
            //   c6452000             | mov                 byte ptr [ebp + 0x20], 0
            //   83fa10               | cmp                 edx, 0x10
            //   0f8204ffffff         | jb                  0xffffff0a

        $sequence_14 = { 68e8030000 ff15???????? 8b551c 83fa10 7228 8b4d08 }
            // n = 6, score = 400
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   8b551c               | mov                 edx, dword ptr [ebp + 0x1c]
            //   83fa10               | cmp                 edx, 0x10
            //   7228                 | jb                  0x2a
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_15 = { 83fa10 722f 8b8d60feffff 42 }
            // n = 4, score = 400
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8d60feffff         | mov                 ecx, dword ptr [ebp - 0x1a0]
            //   42                   | inc                 edx

        $sequence_16 = { 68???????? e8???????? 8d4db4 e8???????? 83c418 }
            // n = 5, score = 400
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_17 = { c78514feffff0f000000 c68500feffff00 83fa10 722f 8b8de8fdffff 42 }
            // n = 6, score = 300
            //   c78514feffff0f000000     | mov    dword ptr [ebp - 0x1ec], 0xf
            //   c68500feffff00       | mov                 byte ptr [ebp - 0x200], 0
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8de8fdffff         | mov                 ecx, dword ptr [ebp - 0x218]
            //   42                   | inc                 edx

        $sequence_18 = { 83c408 8b95fcfdffff c78510feffff00000000 c78514feffff0f000000 c68500feffff00 83fa10 }
            // n = 6, score = 300
            //   83c408               | add                 esp, 8
            //   8b95fcfdffff         | mov                 edx, dword ptr [ebp - 0x204]
            //   c78510feffff00000000     | mov    dword ptr [ebp - 0x1f0], 0
            //   c78514feffff0f000000     | mov    dword ptr [ebp - 0x1ec], 0xf
            //   c68500feffff00       | mov                 byte ptr [ebp - 0x200], 0
            //   83fa10               | cmp                 edx, 0x10

    condition:
        7 of them and filesize < 520192
}

}

Redline


rule detect_Redline_Stealer {
     meta:
        date = "2023-06-06"
        author ="Varp0s"
        yarahub_reference_md5     = "554d25724c8f6f53af8721d0ef6b6f42"
        yarahub_uuid = "671d6f32-8236-46b5-80e3-057192936607"
        yarahub_license =  "CC0 1.0"
        yarahub_rule_matching_tlp =  "TLP:WHITE"
        yarahub_rule_sharing_tlp =  "TLP:WHITE"
        tlp = "WHITE"

    strings:

        $req0 = {72 75 6E 64 6C 6C 33 32 2E 65 78 65 20 25 73 61} 
        $req1 = {43 6F 6E 74 72 6F 6C 20 50 61 6E 65 6C 5C 44 65}
        $req2 = {77 65 78 74 72 61 63 74 2E 70 64 62 00} 
        $req3 = {49 58 50 25 30 33 64 2E 54 4D 50 00}
        $req4 = {54 4D 50 34 33 35 31 24 2E 54 4D 50 00}
        $req5 = {43 6F 6D 6D 61 6E 64 2E 63 6F 6D 20 2F 63 20 25} 
        $req6 = {55 50 44 46 49 4C 45 25 6C 75 00}


              
    condition:
        all of them
}  






rule detect_Redline_Stealer_V2 {
     meta:
        date = "2023-06-06"
        author ="Varp0s"
        yarahub_reference_md5     = "554d25724c8f6f53af8921d0ef6b6f42"
        yarahub_uuid = "e20669f7-da89-41f6-abeb-c3b5a770530e"
        yarahub_license =  "CC0 1.0"
        yarahub_rule_matching_tlp =  "TLP:WHITE"
        yarahub_rule_sharing_tlp =  "TLP:WHITE"
        tlp = "WHITE"
    strings:

        $req0 = {41 00 75 00 74 00 68 00 6F 00 72 00 69 00 7A} 
        $req1 = {6E 00 65 00 74 00 2E 00 74 00 63 00 70 00 3A 00}
        $req3 = {44 00 65 00 63 00 63 00 69 00 65 00 00 00}
        $req4 = {61 00 6D 00 6B 00 6D 00 6A 00 6A 00 6D 00 6D 00}
        $req5 = {31 00 36 00 33 00 2E 00 31 00 32 00 33 00 2E 00}
        $req6 = {59 00 61 00 6E 00 64 00 65 00 78 00 5C 00 59 00}
        $req7 = {31 00 2A 00 2E 00 31 00 6C 00 31 00 64 00 31 00}

              
    condition:
        3 of them 
} 

Healer.exe


import "pe"

rule detect_Healer_Defender_Disabler {
    meta:
        date = "2023-07-25"
        author = "Mehardeep Singh Sawhney"
        description = "Rule to detect Healer Microsoft Defender disabler"
        tlp = "WHITE"

    strings:
        $string1 = "Program.DisableService(\"WinDefend\");"
        $string2 = "Program.RegistryEdit(\"SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\", \"TamperProtection\", \"0\");"
        $string3 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\", \"DisableAntiSpyware\", \"1\");"
        $string4 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableBehaviorMonitoring\", \"1\");"
        $string5 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableIOAVProtection\", \"1\");"
        $string6 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableOnAccessProtection\", \"1\");"
        $string7 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableRealtimeMonitoring\", \"1\");"
        $string8 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableScanOnRealtimeEnable\", \"1\");"
        $string9 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\", \"DisableNotifications\", \"1\");"
        $string10 = "Program.DisableService(\"wuauserv\");"
        $string11 = "Program.DisableService(\"WaaSMedicSvc\");"
        $string12 = "Program.DisableService(\"UsoSvc\");"
        $string13 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"AUOptions\", \"2\");"
        $string14 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"AutoInstallMinorUpdates\", \"0\");"
        $string15 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"NoAutoUpdate\", \"1\");"
        $string16 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"NoAutoRebootWithLoggedOnUsers\", \"1\");"
        $string17 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"UseWUServer\", \"1\");"
        $string18 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\", \"DoNotConnectToWindowsUpdateInternetLocations\", \"1\");"
        $string19 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\", \"WUStatusServer\", \"server.wsus\");"
        $string20 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\", \"WUServer\", \"server.wsus\");"
        $string21 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\", \"UpdateServiceUrlAlternate\", \"server.wsus\");"

    condition:
        all of them and pe.is_dotnet
}

Author

Mehardeep Singh Sawhney

Extremely passionate about cyber security and it's real application in protecting Information Assets. Love learning about new ways to exploit devices

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware

9

min read

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Authors
Mehardeep Singh Sawhney
Extremely passionate about cyber security and it's real application in protecting Information Assets. Love learning about new ways to exploit devices
Co-Authors
No items found.

Category: Malware Intelligence

Type/Family: 

AV Disabler/Healer
Botnet/Amadey
Stealer/RedLine

Industry: Multiple

Region: Global

Executive Summary

THREAT

  • New Healer AV disabler being utilized by Amadey botnet in order to disable Microsoft Defender.
  • Redline stealer dropped on target systems.
  • Target systems infected with Amadey botnet.

IMPACT

  • Microsoft Defender is permanently disabled on target.
  • Microsoft Auto-Update is disabled, restricting targets to get latest security patches.
  • Redline infostealer deployed to steal sensitive information.
  • Threat actors gain full control of target systems using Amadey bot.

MITIGATION

  • Keep assets updated with the latest Microsoft security patch.
  • Use strong anti-malware software and practices.

Analysis and Campaign Overview

CloudSEK’s threat intelligence team has a Microsoft Defender antivirus (AV) disabler named Healer.exe . The executable was found on Tria.ge, and the tag given by Tria.ge for this executable is Healer

Healer tag seen in Amadey and Redline samples

Upon further investigation of the executable. It was found that this executable is a part of an on-going multi-stage Amadey Botnet campaign, that also drops the infamous Redline infostealer on target systems. However, the attack does not begin with this executable.

Campaign Overview

An overview of the stages of the attack (most popular instances)

Stage 1: Dropper no. 1 (.EXE) is deployed on the system, and has two EXEs embedded within itself. Drops the two executables on the system.

Stage 2: Dropper no. 2 (.EXE) serves as a dropper for two more executables; Healer.exe (Microsoft Defender disabler) and RedLine infostealer.

Stage 3: Dropper no. 3 (.EXE) drops the Amadey executable and executes it on the system

It should be noted that there were slight variations seen from campaign to campaign (for eg. one extra dropper being used in one of the stages, or different file dropping order), but the attack flow remains very similar. The example campaign used for technical analysis follows a different order for dropping files.

Technical Analysis

Stage 1 - Dropper no. 1 (Drops Second Stage Dropper)

The campaign starts off with the deployment of dropper no. 1 on the target system. This file is most often  a PE32 C++ executable, with the original name WEXTRACT.EXE.MUI. The file description states that this file is a “Win32 Cabinet Self-Extractor”, which indicates that this binary may have embedded binaries within its resources. The copyright also states that this file is owned by Microsoft.

Original file details

Taking a look at the resources section of this executable confirms our suspicions of embedded binaries. We can see that the binary contains a Cabinet (.CAB) file within the section. The Microsoft Cabinet file format is an archive file format used to store compressed files within itself. We can also see that the .rsrc section occupies 91.41 percent of the file size.

Cabinet file within resources section

We can see that the Cabinet file contains two executables that are stored within the archive.

Files stored within the Cabinet

We the order of execution of those files by looking at the “RUNPROGRAM” and “POSTRUNPROGRAM” attributes. The executable name specified in “RUNPROGRAM” will be executed first, and after that the executable name specified in “POSTRUNPROGRAM” will be executed.

The order of execution of the programs

The executables are dropped in a newly created directory in C:\Users\[Username]\AppData\Local\Temp\ in a similar fashion to that shown below.

Executable drop location

Stage 2 - Dropper no. 2 (Healer and Amadey)

Contrary to the diagram shared in Campaign Overview, the files associated with this campaign being used for technical analysis will first be Amadey and Healer.exe using dropper no. 2. The second stage dropper also operates in the same fashion as the first stage dropper, in that it uses a Cabinet to drop its executables.

Same filename and description as the first dropper

Cabinet containing two more executables

The executables are dropped in the same path under a different directory. The file executed first (in this case g8262924.exe) is a dropper for Amadey, and drops it in a new directory stored in the path C:\Users\[Username]\AppData\Temp\. Healer.exe is executed after Amadey.

Amadey executable

Amadey

Amadey is a botnet family that allows a threat actor to gain full access to a target system. Amadey has its own C2 panel, in-built Infostealer module, and cryptocurrency transaction interceptor module. The executable comes in the form of a PE32 C++ binary.

Upon execution, there is a long process chain formed. Essentially, Amadey starts off by:

  • Creating a Startup registry entry in order to make it so that Amadey runs every time a user logs on.
  • Creating a scheduled task that runs the Amadey binary every minute using the command “C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 1 /TN amadey.exe /TR “C:\Users\[Username]\AppData\Local\Temp\5eb6b96734\amadey.exe” /F.
  • Changing the rights for the username “Test”, making it so that the Amadey binary cannot be written to or deleted, but only read. The command used is CACLS  ”mnolyk.exe” /P “test:R” /E.

Them, Amadey initiates a connection with the C2 server by sending out an HTTP POST request. This request contains information about the current target. Information such as Amadey Bot identification details, target PC and OS information, target username, etc.

Amadey initial C2 communication

After a connection with the C2 server has been successfully made, Amadey fetches two malicious DLLs from the C2 server, namely cred64.dll and clip64.dll. It does this by initiating an HTTP GET request.

An example of Amadey downloading clip64.dll from the C2 server

Cred64.dll, the in-built infostealer module, will attempt to steal saved credentials from browsers and information from cryptocurrency wallets. Some of the target applications include Google Chrome, Microsoft Edge, Opera, Electrum, Monero and Litecoin. Data is exfiltrated using HTTP POST requests.

Clip64.dll, the module responsible for intercepting cryptocurrency transactions, steals cryptocurrency from its victims by replacing the intended recipient wallet address with the threat actor’s wallet address. It does this by replacing anything stored in the clipboard with that wallet address.

Amadey has also been seen to be used as a Malware downloader. Threat actors are known to deploy many popular Infostealer families such as Vidar and Redline, along with other type of Malware using Amadey.

Healer.exe (Microsoft Defender disabler)

Post the execution of Amadey in this campaign, the second binary (in this case, h6920491.exe) is executed on the system. The file is a PE32 .NET Assembly, which is of the original name Healer.exe with description Healer.

 Basic file information

By making changes to registry entries, this disabler permanently disables Microsoft Defender and its Anti-Spyware measures, along with disabling Windows automatic updates, so that the target does not get latest security patches, and does not restart unexpectedly.

Registry changes made by Healer

User unable to make changes to Defender settings

Important Registry Changes

Registry Path

Value 

Meaning

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection 

0

Allows the executable to make changes to Microsoft Defender settings through registry or other means.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

1

Disable Microsoft Antivirus.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviourMonitoring

1

Disable real-time behavior monitoring.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

1

Disable Microsoft Office antivirus protection.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

1

Disable monitoring of file activity on the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring

1

Disable real-time monitoring.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

1

Disable real-time process scanning.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications

1

Disable Microsoft Defender notifications.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions

2

Disable Windows Automatic Updates.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdates

0

Disables the automatic installation of minor updates.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

1

Disable automatic update.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers

1

Disable automatic reboot when users are logged on.


In most instances of this campaign observed, Healer.exe is executed before the deployment of Amadey/Redline. This also makes sense logically, since the threat actor would want to disable security measures in order to ensure flawless deployment and execution of the further stages. 

The fact that in this case, Healer is deployed after Amadey leads us to believe that this may be an error made by the threat actor associated with this specific campaign.

Stage 3 - Dropper no. 1 (Drops Redline)

Lastly, the second file dropped by the first stage dropper (in this case, j3096141.exe) is executed. This is a variant of the Redline Infostealer. It comes in the form of a PE32 .NET assembly, and has the capability of saving saved credentials, cookies, and other information from multiple popular browsers and cryptocurrency wallets. 

You can read more about the Redline Infostealer in our technical analysis report here.

An example of Redline’s configuration

Indicators of Compromise (IoCs)



SHA256

80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376

d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800

1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5

850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2

021ae2fadbc8bc4e83013de03902e6e97c2815ab821adaa58037e562a6b2357b

aab1460440bee10e2efec9b5c83ea20ed85e7a17d4ed3b4a19341148255d54b1

54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc

0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f

ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41

cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8

3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

35E5DF856FEE7AAB059E2B80D3A2FC9207CBE3882B3626FAB11F34EA3383F043

4E1377F9874F333DCB0B1B758E3131949E667FC39AADF3091E4E3B7CDBAEEF1D

91FDA0FD32F0E8FD120E767235C58C189F6CC3119D06A813E1C642AB95F28C10

4E1377F9874F333DCB0B1B758E3131949E667FC39AADF3091E4E3B7CDBAEEF1D

850CD190AAEEBCF1505674D97F51756F325E650320EAF76785D954223A9BEE38


IPv4

224.0.0.252

77.91.68.3

77.91.68.68

193.233.20.7

62.204.41.5

62.204.41.251

193.233.20.11


URLs

http://77.91.68.3/home/love/Plugins/cred64.dll

http://77.91.68.3/home/love/index.php

http://77.91.68.3/home/love/Plugins/clip64.dll

http://62.204.41.5/Bu58Ngs/Plugins/cred64.dll

http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll

http://62.204.41.5/Bu58Ngs/index.php


Yara Rules

Amadey


rule win_amadey_a9f4 {

    meta:
        author                    = "Johannes Bader"
        date                      = "2022-11-17"
        description               = "matches unpacked Amadey samples"
        hash_md5                  = "25cfcfdb6d73d9cfd88a5247d4038727"
        hash_sha1                 = "912d1ef61750bc622ee069cdeed2adbfe208c54d"
        hash_sha256               = "03effd3f94517b08061db014de12f8bf01166a04e93adc2f240a6616bb3bd29a"
        malpedia_family           = "win.amadey"
        tlp                       = "TLP:WHITE"
        version                   = "v1.0"
        yarahub_author_email      = "[email protected]"
        yarahub_author_twitter    = "@viql"
        yarahub_license           = "CC BY-SA 4.0"
        yarahub_reference_md5     = "25cfcfdb6d73d9cfd88a5247d4038727"
        yarahub_rule_matching_tlp = "TLP:WHITE"
        yarahub_rule_sharing_tlp  = "TLP:WHITE"
        yarahub_uuid              = "a9f41cd4-3f67-42fc-b310-e9b251c95fe4"

    strings:
        $pdb  = "\\Amadey\\Release\\Amadey.pdb"
        /*  Amadey uses multiple hex strings to decrypt the strings, C2 traffic
            and as identification. The preceeding string 'stoi ...' is added to
            improve performance.
        */
        $keys = /stoi argument out of range\x00\x00[a-f0-9]{32}\x00{1,16}[a-f0-9]{32}\x00{1,4}[a-f0-9]{6}\x00{1,4}[a-f0-9]{32}\x00/

    condition:
        uint16(0) == 0x5A4D and
        (
            $pdb or $keys
        )
}

rule win_amadey_auto {

meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.amadey."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"

/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/

strings:
$sequence_0 = { 8945f4 837df408 744f 8d85e8fdffff 890424 e8???????? c70424???????? }
// n = 7, score = 700
//   8945f4               | mov                 dword ptr [ebp - 0xc], eax
//   837df408             | cmp                 dword ptr [ebp - 0xc], 8
//   744f                 | je                  0x51
//   8d85e8fdffff         | lea                 eax, [ebp - 0x218]
//   890424               | mov                 dword ptr [esp], eax
//   e8????????           |                     
//   c70424????????       |                     

$sequence_1 = { c745fc00000000 e8???????? 84c0 750c c7042401000000 e8???????? e8???????? }
// n = 7, score = 700
//   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
//   e8????????           |                     
//   84c0                 | test                al, al
//   750c                 | jne                 0xe
//   c7042401000000       | mov                 dword ptr [esp], 1
//   e8????????           |                     
//   e8????????           |                     

$sequence_2 = { 89442404 891424 e8???????? 85c0 7510 8b45fc 40 }
// n = 7, score = 700
//   89442404             | mov                 dword ptr [esp + 4], eax
//   891424               | mov                 dword ptr [esp], edx
//   e8????????           |                     
//   85c0                 | test                eax, eax
//   7510                 | jne                 0x12
//   8b45fc               | mov                 eax, dword ptr [ebp - 4]
//   40                   | inc                 eax

$sequence_3 = { 890424 e8???????? c7042400000000 e8???????? 81c424040000 }
// n = 5, score = 700
//   890424               | mov                 dword ptr [esp], eax
//   e8????????           |                     
//   c7042400000000       | mov                 dword ptr [esp], 0
//   e8????????           |                     
//   81c424040000         | add                 esp, 0x424

$sequence_4 = { e8???????? 8945f4 837df40a 0f842e010000 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df40a             | cmp                 dword ptr [ebp - 0xc], 0xa
            //   0f842e010000         | je                  0x134

        $sequence_5 = { e8???????? c7442404???????? 8b4508 890424 e8???????? 85c0 7e75 }
            // n = 7, score = 700
            //   e8????????           |                     
            //   c7442404????????     |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7e75                 | jle                 0x77

        $sequence_6 = { 890424 e8???????? c7042401000000 e8???????? 89442404 8d85e8fbffff 890424 }
            // n = 7, score = 700
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   e8????????           |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d85e8fbffff         | lea                 eax, [ebp - 0x418]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_7 = { e8???????? 8b4508 c60000 c9 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c60000               | mov                 byte ptr [eax], 0
            //   c9                   | leave               

        $sequence_8 = { 68???????? e8???????? 8d4dcc e8???????? 83c418 }
            // n = 5, score = 500
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_9 = { 83fa10 722f 8b8d78feffff 42 8bc1 81fa00100000 7214 }
            // n = 7, score = 500
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8d78feffff         | mov                 ecx, dword ptr [ebp - 0x188]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx
            //   81fa00100000         | cmp                 edx, 0x1000
            //   7214                 | jb                  0x16

        $sequence_10 = { 52 51 e8???????? 83c408 8b955cfeffff }
            // n = 5, score = 400
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b955cfeffff         | mov                 edx, dword ptr [ebp - 0x1a4]

        $sequence_11 = { 50 68???????? 83ec18 8bcc 68???????? }
            // n = 5, score = 400
            //   50                   | push                eax
            //   68????????           |                     
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp
            //   68????????           |                     

        $sequence_12 = { 8b7dfc 8d4201 3bcb 7ccb 837e1410 }
            // n = 5, score = 400
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   8d4201               | lea                 eax, [edx + 1]
            //   3bcb                 | cmp                 ecx, ebx
            //   7ccb                 | jl                  0xffffffcd
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
-- contd--
 ---contd----
        $sequence_13 = { 83c408 8b554c c7453000000000 c745340f000000 c6452000 83fa10 0f8204ffffff }
            // n = 7, score = 400
            //   83c408               | add                 esp, 8
            //   8b554c               | mov                 edx, dword ptr [ebp + 0x4c]
            //   c7453000000000       | mov                 dword ptr [ebp + 0x30], 0
            //   c745340f000000       | mov                 dword ptr [ebp + 0x34], 0xf
            //   c6452000             | mov                 byte ptr [ebp + 0x20], 0
            //   83fa10               | cmp                 edx, 0x10
            //   0f8204ffffff         | jb                  0xffffff0a

        $sequence_14 = { 68e8030000 ff15???????? 8b551c 83fa10 7228 8b4d08 }
            // n = 6, score = 400
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   8b551c               | mov                 edx, dword ptr [ebp + 0x1c]
            //   83fa10               | cmp                 edx, 0x10
            //   7228                 | jb                  0x2a
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_15 = { 83fa10 722f 8b8d60feffff 42 }
            // n = 4, score = 400
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8d60feffff         | mov                 ecx, dword ptr [ebp - 0x1a0]
            //   42                   | inc                 edx

        $sequence_16 = { 68???????? e8???????? 8d4db4 e8???????? 83c418 }
            // n = 5, score = 400
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_17 = { c78514feffff0f000000 c68500feffff00 83fa10 722f 8b8de8fdffff 42 }
            // n = 6, score = 300
            //   c78514feffff0f000000     | mov    dword ptr [ebp - 0x1ec], 0xf
            //   c68500feffff00       | mov                 byte ptr [ebp - 0x200], 0
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8de8fdffff         | mov                 ecx, dword ptr [ebp - 0x218]
            //   42                   | inc                 edx

        $sequence_18 = { 83c408 8b95fcfdffff c78510feffff00000000 c78514feffff0f000000 c68500feffff00 83fa10 }
            // n = 6, score = 300
            //   83c408               | add                 esp, 8
            //   8b95fcfdffff         | mov                 edx, dword ptr [ebp - 0x204]
            //   c78510feffff00000000     | mov    dword ptr [ebp - 0x1f0], 0
            //   c78514feffff0f000000     | mov    dword ptr [ebp - 0x1ec], 0xf
            //   c68500feffff00       | mov                 byte ptr [ebp - 0x200], 0
            //   83fa10               | cmp                 edx, 0x10

    condition:
        7 of them and filesize < 520192
}

}

Redline


rule detect_Redline_Stealer {
     meta:
        date = "2023-06-06"
        author ="Varp0s"
        yarahub_reference_md5     = "554d25724c8f6f53af8721d0ef6b6f42"
        yarahub_uuid = "671d6f32-8236-46b5-80e3-057192936607"
        yarahub_license =  "CC0 1.0"
        yarahub_rule_matching_tlp =  "TLP:WHITE"
        yarahub_rule_sharing_tlp =  "TLP:WHITE"
        tlp = "WHITE"

    strings:

        $req0 = {72 75 6E 64 6C 6C 33 32 2E 65 78 65 20 25 73 61} 
        $req1 = {43 6F 6E 74 72 6F 6C 20 50 61 6E 65 6C 5C 44 65}
        $req2 = {77 65 78 74 72 61 63 74 2E 70 64 62 00} 
        $req3 = {49 58 50 25 30 33 64 2E 54 4D 50 00}
        $req4 = {54 4D 50 34 33 35 31 24 2E 54 4D 50 00}
        $req5 = {43 6F 6D 6D 61 6E 64 2E 63 6F 6D 20 2F 63 20 25} 
        $req6 = {55 50 44 46 49 4C 45 25 6C 75 00}


              
    condition:
        all of them
}  






rule detect_Redline_Stealer_V2 {
     meta:
        date = "2023-06-06"
        author ="Varp0s"
        yarahub_reference_md5     = "554d25724c8f6f53af8921d0ef6b6f42"
        yarahub_uuid = "e20669f7-da89-41f6-abeb-c3b5a770530e"
        yarahub_license =  "CC0 1.0"
        yarahub_rule_matching_tlp =  "TLP:WHITE"
        yarahub_rule_sharing_tlp =  "TLP:WHITE"
        tlp = "WHITE"
    strings:

        $req0 = {41 00 75 00 74 00 68 00 6F 00 72 00 69 00 7A} 
        $req1 = {6E 00 65 00 74 00 2E 00 74 00 63 00 70 00 3A 00}
        $req3 = {44 00 65 00 63 00 63 00 69 00 65 00 00 00}
        $req4 = {61 00 6D 00 6B 00 6D 00 6A 00 6A 00 6D 00 6D 00}
        $req5 = {31 00 36 00 33 00 2E 00 31 00 32 00 33 00 2E 00}
        $req6 = {59 00 61 00 6E 00 64 00 65 00 78 00 5C 00 59 00}
        $req7 = {31 00 2A 00 2E 00 31 00 6C 00 31 00 64 00 31 00}

              
    condition:
        3 of them 
} 

Healer.exe


import "pe"

rule detect_Healer_Defender_Disabler {
    meta:
        date = "2023-07-25"
        author = "Mehardeep Singh Sawhney"
        description = "Rule to detect Healer Microsoft Defender disabler"
        tlp = "WHITE"

    strings:
        $string1 = "Program.DisableService(\"WinDefend\");"
        $string2 = "Program.RegistryEdit(\"SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\", \"TamperProtection\", \"0\");"
        $string3 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\", \"DisableAntiSpyware\", \"1\");"
        $string4 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableBehaviorMonitoring\", \"1\");"
        $string5 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableIOAVProtection\", \"1\");"
        $string6 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableOnAccessProtection\", \"1\");"
        $string7 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableRealtimeMonitoring\", \"1\");"
        $string8 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\", \"DisableScanOnRealtimeEnable\", \"1\");"
        $string9 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\", \"DisableNotifications\", \"1\");"
        $string10 = "Program.DisableService(\"wuauserv\");"
        $string11 = "Program.DisableService(\"WaaSMedicSvc\");"
        $string12 = "Program.DisableService(\"UsoSvc\");"
        $string13 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"AUOptions\", \"2\");"
        $string14 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"AutoInstallMinorUpdates\", \"0\");"
        $string15 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"NoAutoUpdate\", \"1\");"
        $string16 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"NoAutoRebootWithLoggedOnUsers\", \"1\");"
        $string17 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\", \"UseWUServer\", \"1\");"
        $string18 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\", \"DoNotConnectToWindowsUpdateInternetLocations\", \"1\");"
        $string19 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\", \"WUStatusServer\", \"server.wsus\");"
        $string20 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\", \"WUServer\", \"server.wsus\");"
        $string21 = "Program.RegistryEdit(\"SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\", \"UpdateServiceUrlAlternate\", \"server.wsus\");"

    condition:
        all of them and pe.is_dotnet
}