amadey | 1877311823db6ba59449f0d4198c863b355270a0b939c3e2e3187007cfd1a78d

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y5573007.exe
Size

1.3MB
MD5

1dab5b16c54630ab6301e4862f8df0e0
SHA1

56cbaa192dcdf768cf27651a6772f6aee68091e6
SHA256

1877311823db6ba59449f0d4198c863b355270a0b939c3e2e3187007cfd1a78d
SHA512

42f85dc712579577ff04c7bc54cf5c384058610e71bc89e6c282302c11be6d8ef8c004bf47c715f7e2999bd953e554f44abe74f2142fd97dccb9e4f2b458feea
SSDEEP

24576:hyrM8ZC5Uq8G7ZaKyEpCAnszT82vCYF2oG1y2xeEVeTsWfLwzCY:UeUq8GFaKyEpPszT842FRxeEo

Score

10^/10

amadey mystic redline jang infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4012392.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4176-36-0x0000000000F90000-0x0000000000FC0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0933183.exe	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l9706125.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	l9706125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 8 IoCs

Processes:

y0320571.exey3397747.exel9706125.exesaves.exem4012392.exen0933183.exesaves.exesaves.exe

pid process

4456 y0320571.exe
4020 y3397747.exe
5084 l9706125.exe
3804 saves.exe
5060 m4012392.exe
4176 n0933183.exe
3920 saves.exe
372 saves.exe

pid	process
4456	y0320571.exe
4020	y3397747.exe
5084	l9706125.exe
3804	saves.exe
5060	m4012392.exe
4176	n0933183.exe
3920	saves.exe
372	saves.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y5573007.exey0320571.exey3397747.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	y5573007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0320571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3397747.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1800 schtasks.exe

pid	process
1800	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

y5573007.exey0320571.exey3397747.exel9706125.exesaves.execmd.exe

description	pid	process	target process
PID 3988 wrote to memory of 4456	3988	y5573007.exe	y0320571.exe
PID 3988 wrote to memory of 4456	3988	y5573007.exe	y0320571.exe
PID 3988 wrote to memory of 4456	3988	y5573007.exe	y0320571.exe
PID 4456 wrote to memory of 4020	4456	y0320571.exe	y3397747.exe
PID 4456 wrote to memory of 4020	4456	y0320571.exe	y3397747.exe
PID 4456 wrote to memory of 4020	4456	y0320571.exe	y3397747.exe
PID 4020 wrote to memory of 5084	4020	y3397747.exe	l9706125.exe
PID 4020 wrote to memory of 5084	4020	y3397747.exe	l9706125.exe
PID 4020 wrote to memory of 5084	4020	y3397747.exe	l9706125.exe
PID 5084 wrote to memory of 3804	5084	l9706125.exe	saves.exe
PID 5084 wrote to memory of 3804	5084	l9706125.exe	saves.exe
PID 5084 wrote to memory of 3804	5084	l9706125.exe	saves.exe
PID 4020 wrote to memory of 5060	4020	y3397747.exe	m4012392.exe
PID 4020 wrote to memory of 5060	4020	y3397747.exe	m4012392.exe
PID 4020 wrote to memory of 5060	4020	y3397747.exe	m4012392.exe
PID 4456 wrote to memory of 4176	4456	y0320571.exe	n0933183.exe
PID 4456 wrote to memory of 4176	4456	y0320571.exe	n0933183.exe
PID 4456 wrote to memory of 4176	4456	y0320571.exe	n0933183.exe
PID 3804 wrote to memory of 1800	3804	saves.exe	schtasks.exe
PID 3804 wrote to memory of 1800	3804	saves.exe	schtasks.exe
PID 3804 wrote to memory of 1800	3804	saves.exe	schtasks.exe
PID 3804 wrote to memory of 1720	3804	saves.exe	cmd.exe
PID 3804 wrote to memory of 1720	3804	saves.exe	cmd.exe
PID 3804 wrote to memory of 1720	3804	saves.exe	cmd.exe
PID 1720 wrote to memory of 408	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 408	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 408	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 3032	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 3032	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 3032	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 4464	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 4464	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 4464	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 744	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 744	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 744	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 696	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 696	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 696	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 3608	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 3608	1720	cmd.exe	cacls.exe
PID 1720 wrote to memory of 3608	1720	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\y5573007.exe
"C:\Users\Admin\AppData\Local\Temp\y5573007.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0320571.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0320571.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9706125.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9706125.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
1⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
2⤵
PID:3032

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
2⤵
PID:3608

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
2⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2⤵
PID:744

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
2⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0933183.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0933183.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4012392.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4012392.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3397747.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3397747.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3920

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0320571.exe
Filesize
23KB

MD5
c8941569e466057ba048d069189fbda0

SHA1
18c6f5c7457c26586b38ba6d7319e350e978d327

SHA256
8e0c305e89b9cf365a40e5173afed179307fc9b92709aa79b3e6d9f171528ae2

SHA512
0b4e1f52d849afbae50d50ab82c823236e6fa024b0043cca8931d797ee5d97496828a2f5ef258df8a3c28be7a0a3eb7ee748a22b918cfbc8cd503fd0d3d114f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0320571.exe
Filesize
54KB

MD5
1636bdaae860f49066d599ee0f758ce6

SHA1
205872f67b77e36201fc93b47d995c75f306f095

SHA256
43f75fb01fa855b46f69a1b6a603b4a809ebef3919e4ea47c44e24e7df3a1ce4

SHA512
a013b6f98878caf98232165e5f7e94ad4d04a7976a6cdbf6c72e34fa4bb488d82105efacfe3d5769b5733164a090d35adc0e7f9accda352d4fd4cd983df16219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0933183.exe
Filesize
174KB

MD5
2e47ffa00d8f4df0f9c9486bc478fcba

SHA1
ff133754d1851198ba550854fecc5a3463db0065

SHA256
534653d922fc4d6f4967befbbf83af8ddfa3982e3bca29b9274f0370945f7fb7

SHA512
da6115615b18432e373d09470769ea97bda084df573e751ff430dbada63736595aea8f943467e1bec91209bb37982bc296b7ff5c2dea9a2d207ea3242136eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3397747.exe
Filesize
319KB

MD5
adfb99d9e67648cedbf04b6f906bf667

SHA1
24c961b4c022701e1d426f9974255126b2ce1d09

SHA256
6f83c9db7d351f52f43214ecc83c2b188052ab0677a9368c91265b95759f7c38

SHA512
95010961110624767b2ff02914e02a433ae8ff5a2935d860caf2ee2f6c20982bb2fb5ec493bda608511504e89ed8e9ff39d2abff03ea83c50927bae4263107e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9706125.exe
Filesize
51KB

MD5
0a350d362e6d427120e885cf4c79abc2

SHA1
ef139ec885fae9f48abd8a14a44801a53eccb814

SHA256
8f2ab6a415f342695145006546d56b901b5b12aea2aadae5db75adfd4a3d08f2

SHA512
9cb64918aefd156a3d6303cfbdf734f595ad532e7afa43456da78c58a743ab0422fd9f2c12565c4e28de71cc503fc03a120ffc4ea93f2a44934c0d1d68d5b8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9706125.exe
Filesize
58KB

MD5
721f9f35454e395ee1286a549f3b91f3

SHA1
57d3b7c3e04a7214a6e10c256878ec1fe7b52fb4

SHA256
b4a09cb18ea921a36e3a24ec5915cc1320ca8cc5e0acd20290c4d90c9fb65b55

SHA512
8538b4d58b95c5e8bbf6561ee3aa865fb23599e6dfaf41370234980da5ea7d8367df3bb74e2fa7afbdd4ba90b81d1bc6e0fa924a9534ab9c3bfcf5523276235c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4012392.exe
Filesize
140KB

MD5
9ee79745f1bd3aec20c71e60cbe12907

SHA1
798d7fdd9bf1c6f6dac8d03091a481251ba55561

SHA256
9d02d0be0ac9910c9ff48448f92c0bbe88e3dd18f723d6f2af86195c6e7bd7fe

SHA512
af7cb654ad18a76e038ac5cd2a4c3c30a1bee0bef7b32ff15162339fd3b042d40e0f5bcd3b689c1103c393158522b5e108c27b10c65739ae24b04dbf5ffc3a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
Filesize
96KB

MD5
38f908c2954e41938d2105a980303e8d

SHA1
c2bf458f5d018d6dec77ff817f862290e9958801

SHA256
f75ab91cad3539fae52fab6c41c8425ada8355999fc0884029c0e7c059b2fc2f

SHA512
5e8aceffb43ec4e4c544976ae7a93b7390762d3821f7015441dd1821e6d52e79cfaf795257b48a484d80ea34fc6e8afaae8c4113590a56588d591a29722cb150

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
Filesize
329KB

MD5
2d4e41efd3db85a992d313e56cb51345

SHA1
db3dea73b3e08d98da7697473890c6b74725280e

SHA256
b3996d6c396fde63249c938f4207f2172bd56c55eba8984f0ba589ec57924aa9

SHA512
ed796e2285516e0955c83119e7490fd4d03fc490ffc5406e5c3c4d427d9a3d4d3dd1e3c523e5ef3851bc0aef79c1aa99b120d2ce21c2244ca33210b20885c7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
Filesize
160KB

MD5
1b608e4528f662526e020b8e6b6a59c4

SHA1
b91a5f63a3f8c7f850abf943be8a396dfc1038d2

SHA256
655ccfcb258e8538def6bc0e118674bb61219604bf0b87ca2c25f646eee70015

SHA512
6d7560f3b0de153976fbb3c2ac130f75096aae462c8ccbda697607c89b99333056166bc5e8a0180f53bd00cea251dc77dda28d1499c2e8ca4b9df8aa2c8f88db

Download Submit
memory/4176-41-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/4176-39-0x0000000005FE0000-0x00000000065F8000-memory.dmp

Filesize
6.1MB

Download
memory/4176-44-0x00000000059C0000-0x0000000005A0C000-memory.dmp

Filesize
304KB

Download
memory/4176-38-0x0000000003360000-0x0000000003366000-memory.dmp

Filesize
24KB

Download
memory/4176-37-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4176-36-0x0000000000F90000-0x0000000000FC0000-memory.dmp

Filesize
192KB

Download
memory/4176-43-0x0000000005870000-0x00000000058AC000-memory.dmp

Filesize
240KB

Download
memory/4176-42-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4176-45-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4176-46-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4176-40-0x0000000005AD0000-0x0000000005BDA000-memory.dmp

Filesize
1.0MB

Download