amadey | 7f0325d4217054cdab8d35ac1adb47ba8ea7e2ec01b7dda452e65d0dc742dc2f

General

Target

d9dce3b43103ba7c9c7993a1a4f5070b.exe
Size

1.4MB
MD5

d9dce3b43103ba7c9c7993a1a4f5070b
SHA1

0c6b82c436aff245a1c3a5bab3947de41b52744c
SHA256

7f0325d4217054cdab8d35ac1adb47ba8ea7e2ec01b7dda452e65d0dc742dc2f
SHA512

c12a4a6ffedf54149ec732dbc915e12845ee82874c4b248b8ce3131b912e96ae3c5ea981b50905c99f7f34539f6f499754a8fc8c3f93a4a07bb19f572d6e98e8
SSDEEP

24576:2y4AfNrEEEY3Uk8I7ZLKySp0Hu4dWMnYYDWSiJzqMtx15T/T8PwLyxC+:F4AfhNUk8IFLKySpggxJNx15R

Score

10^/10

amadey mystic redline jang infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

jang

C2

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4012392.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0933183.exe	family_redline
behavioral1/memory/2996-61-0x0000000000A90000-0x0000000000AC0000-memory.dmp	family_redline

Executes dropped EXE 9 IoCs

Processes:

y5573007.exey0320571.exey3397747.exel9706125.exesaves.exem4012392.exen0933183.exesaves.exesaves.exe

pid process

1120 y5573007.exe
932 y0320571.exe
2928 y3397747.exe
3040 l9706125.exe
2740 saves.exe
2572 m4012392.exe
2996 n0933183.exe
1552 saves.exe
2876 saves.exe

pid	process
1120	y5573007.exe
932	y0320571.exe
2928	y3397747.exe
3040	l9706125.exe
2740	saves.exe
2572	m4012392.exe
2996	n0933183.exe
1552	saves.exe
2876	saves.exe

Loads dropped DLL 14 IoCs

Processes:

d9dce3b43103ba7c9c7993a1a4f5070b.exey5573007.exey0320571.exey3397747.exel9706125.exesaves.exem4012392.exen0933183.exe

pid	process
2268	d9dce3b43103ba7c9c7993a1a4f5070b.exe
1120	y5573007.exe
1120	y5573007.exe
932	y0320571.exe
932	y0320571.exe
2928	y3397747.exe
2928	y3397747.exe
3040	l9706125.exe
3040	l9706125.exe
2740	saves.exe
2928	y3397747.exe
2572	m4012392.exe
932	y0320571.exe
2996	n0933183.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9dce3b43103ba7c9c7993a1a4f5070b.exey5573007.exey0320571.exey3397747.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9dce3b43103ba7c9c7993a1a4f5070b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5573007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0320571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y3397747.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2564 schtasks.exe

pid	process
2564	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d9dce3b43103ba7c9c7993a1a4f5070b.exey5573007.exey0320571.exey3397747.exel9706125.exesaves.execmd.exe

description	pid	process	target process
PID 2268 wrote to memory of 1120	2268	d9dce3b43103ba7c9c7993a1a4f5070b.exe	y5573007.exe
PID 2268 wrote to memory of 1120	2268	d9dce3b43103ba7c9c7993a1a4f5070b.exe	y5573007.exe
PID 2268 wrote to memory of 1120	2268	d9dce3b43103ba7c9c7993a1a4f5070b.exe	y5573007.exe
PID 2268 wrote to memory of 1120	2268	d9dce3b43103ba7c9c7993a1a4f5070b.exe	y5573007.exe
PID 2268 wrote to memory of 1120	2268	d9dce3b43103ba7c9c7993a1a4f5070b.exe	y5573007.exe
PID 2268 wrote to memory of 1120	2268	d9dce3b43103ba7c9c7993a1a4f5070b.exe	y5573007.exe
PID 2268 wrote to memory of 1120	2268	d9dce3b43103ba7c9c7993a1a4f5070b.exe	y5573007.exe
PID 1120 wrote to memory of 932	1120	y5573007.exe	y0320571.exe
PID 1120 wrote to memory of 932	1120	y5573007.exe	y0320571.exe
PID 1120 wrote to memory of 932	1120	y5573007.exe	y0320571.exe
PID 1120 wrote to memory of 932	1120	y5573007.exe	y0320571.exe
PID 1120 wrote to memory of 932	1120	y5573007.exe	y0320571.exe
PID 1120 wrote to memory of 932	1120	y5573007.exe	y0320571.exe
PID 1120 wrote to memory of 932	1120	y5573007.exe	y0320571.exe
PID 932 wrote to memory of 2928	932	y0320571.exe	y3397747.exe
PID 932 wrote to memory of 2928	932	y0320571.exe	y3397747.exe
PID 932 wrote to memory of 2928	932	y0320571.exe	y3397747.exe
PID 932 wrote to memory of 2928	932	y0320571.exe	y3397747.exe
PID 932 wrote to memory of 2928	932	y0320571.exe	y3397747.exe
PID 932 wrote to memory of 2928	932	y0320571.exe	y3397747.exe
PID 932 wrote to memory of 2928	932	y0320571.exe	y3397747.exe
PID 2928 wrote to memory of 3040	2928	y3397747.exe	l9706125.exe
PID 2928 wrote to memory of 3040	2928	y3397747.exe	l9706125.exe
PID 2928 wrote to memory of 3040	2928	y3397747.exe	l9706125.exe
PID 2928 wrote to memory of 3040	2928	y3397747.exe	l9706125.exe
PID 2928 wrote to memory of 3040	2928	y3397747.exe	l9706125.exe
PID 2928 wrote to memory of 3040	2928	y3397747.exe	l9706125.exe
PID 2928 wrote to memory of 3040	2928	y3397747.exe	l9706125.exe
PID 3040 wrote to memory of 2740	3040	l9706125.exe	saves.exe
PID 3040 wrote to memory of 2740	3040	l9706125.exe	saves.exe
PID 3040 wrote to memory of 2740	3040	l9706125.exe	saves.exe
PID 3040 wrote to memory of 2740	3040	l9706125.exe	saves.exe
PID 3040 wrote to memory of 2740	3040	l9706125.exe	saves.exe
PID 3040 wrote to memory of 2740	3040	l9706125.exe	saves.exe
PID 3040 wrote to memory of 2740	3040	l9706125.exe	saves.exe
PID 2928 wrote to memory of 2572	2928	y3397747.exe	m4012392.exe
PID 2928 wrote to memory of 2572	2928	y3397747.exe	m4012392.exe
PID 2928 wrote to memory of 2572	2928	y3397747.exe	m4012392.exe
PID 2928 wrote to memory of 2572	2928	y3397747.exe	m4012392.exe
PID 2928 wrote to memory of 2572	2928	y3397747.exe	m4012392.exe
PID 2928 wrote to memory of 2572	2928	y3397747.exe	m4012392.exe
PID 2928 wrote to memory of 2572	2928	y3397747.exe	m4012392.exe
PID 2740 wrote to memory of 2564	2740	saves.exe	schtasks.exe
PID 2740 wrote to memory of 2564	2740	saves.exe	schtasks.exe
PID 2740 wrote to memory of 2564	2740	saves.exe	schtasks.exe
PID 2740 wrote to memory of 2564	2740	saves.exe	schtasks.exe
PID 2740 wrote to memory of 2564	2740	saves.exe	schtasks.exe
PID 2740 wrote to memory of 2564	2740	saves.exe	schtasks.exe
PID 2740 wrote to memory of 2564	2740	saves.exe	schtasks.exe
PID 932 wrote to memory of 2996	932	y0320571.exe	n0933183.exe
PID 932 wrote to memory of 2996	932	y0320571.exe	n0933183.exe
PID 932 wrote to memory of 2996	932	y0320571.exe	n0933183.exe
PID 932 wrote to memory of 2996	932	y0320571.exe	n0933183.exe
PID 932 wrote to memory of 2996	932	y0320571.exe	n0933183.exe
PID 932 wrote to memory of 2996	932	y0320571.exe	n0933183.exe
PID 932 wrote to memory of 2996	932	y0320571.exe	n0933183.exe
PID 2740 wrote to memory of 2468	2740	saves.exe	cmd.exe
PID 2740 wrote to memory of 2468	2740	saves.exe	cmd.exe
PID 2740 wrote to memory of 2468	2740	saves.exe	cmd.exe
PID 2740 wrote to memory of 2468	2740	saves.exe	cmd.exe
PID 2740 wrote to memory of 2468	2740	saves.exe	cmd.exe
PID 2740 wrote to memory of 2468	2740	saves.exe	cmd.exe
PID 2740 wrote to memory of 2468	2740	saves.exe	cmd.exe
PID 2468 wrote to memory of 2492	2468	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d9dce3b43103ba7c9c7993a1a4f5070b.exe
"C:\Users\Admin\AppData\Local\Temp\d9dce3b43103ba7c9c7993a1a4f5070b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5573007.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5573007.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0320571.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0320571.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3397747.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3397747.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9706125.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9706125.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
7⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:2492

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
8⤵
PID:2500

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
8⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:2496

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
8⤵
PID:2216

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
8⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4012392.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4012392.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0933183.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0933183.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996

C:\Windows\system32\taskeng.exe
taskeng.exe {AEABF479-29E3-4C09-89B3-77568B4F8672} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
2⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
2⤵
- Executes dropped EXE
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5573007.exe
Filesize
1.3MB

MD5
1dab5b16c54630ab6301e4862f8df0e0

SHA1
56cbaa192dcdf768cf27651a6772f6aee68091e6

SHA256
1877311823db6ba59449f0d4198c863b355270a0b939c3e2e3187007cfd1a78d

SHA512
42f85dc712579577ff04c7bc54cf5c384058610e71bc89e6c282302c11be6d8ef8c004bf47c715f7e2999bd953e554f44abe74f2142fd97dccb9e4f2b458feea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0320571.exe
Filesize
475KB

MD5
ba1c85e520d415fddd1417ffcd74b0f6

SHA1
a41da3bd4f2f742910ad2a728bc36f2947b0e82d

SHA256
7d4931e51585d1e364bfb34f1afb1cd05f1502ea152b9340916576bf0f5d5dc6

SHA512
5f00f855b08c85e7c82e7ae4b37a9e7f2692afb09080154a2b20a55d1422c44909084c0e539d854ac256aa7b97facce1df3892ba86c85b0775e990103d913151

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0933183.exe
Filesize
174KB

MD5
2e47ffa00d8f4df0f9c9486bc478fcba

SHA1
ff133754d1851198ba550854fecc5a3463db0065

SHA256
534653d922fc4d6f4967befbbf83af8ddfa3982e3bca29b9274f0370945f7fb7

SHA512
da6115615b18432e373d09470769ea97bda084df573e751ff430dbada63736595aea8f943467e1bec91209bb37982bc296b7ff5c2dea9a2d207ea3242136eaab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3397747.exe
Filesize
319KB

MD5
adfb99d9e67648cedbf04b6f906bf667

SHA1
24c961b4c022701e1d426f9974255126b2ce1d09

SHA256
6f83c9db7d351f52f43214ecc83c2b188052ab0677a9368c91265b95759f7c38

SHA512
95010961110624767b2ff02914e02a433ae8ff5a2935d860caf2ee2f6c20982bb2fb5ec493bda608511504e89ed8e9ff39d2abff03ea83c50927bae4263107e1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9706125.exe
Filesize
329KB

MD5
2d4e41efd3db85a992d313e56cb51345

SHA1
db3dea73b3e08d98da7697473890c6b74725280e

SHA256
b3996d6c396fde63249c938f4207f2172bd56c55eba8984f0ba589ec57924aa9

SHA512
ed796e2285516e0955c83119e7490fd4d03fc490ffc5406e5c3c4d427d9a3d4d3dd1e3c523e5ef3851bc0aef79c1aa99b120d2ce21c2244ca33210b20885c7fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4012392.exe
Filesize
140KB

MD5
9ee79745f1bd3aec20c71e60cbe12907

SHA1
798d7fdd9bf1c6f6dac8d03091a481251ba55561

SHA256
9d02d0be0ac9910c9ff48448f92c0bbe88e3dd18f723d6f2af86195c6e7bd7fe

SHA512
af7cb654ad18a76e038ac5cd2a4c3c30a1bee0bef7b32ff15162339fd3b042d40e0f5bcd3b689c1103c393158522b5e108c27b10c65739ae24b04dbf5ffc3a60

Download Submit
memory/2996-61-0x0000000000A90000-0x0000000000AC0000-memory.dmp

Filesize
192KB

Download
memory/2996-62-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads