amadey | e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16 | Triage

Analysis

max time kernel
100s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2024, 01:39 UTC

Sharing

Report Analysis Logs

General

Target

e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe
Size

279KB
MD5

020c54cab2f3ef59732b60d2faef5051
SHA1

7c0a3a19dbc658b841068684e5442d7894ae7eda
SHA256

e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16
SHA512

6820aaf46f29589deafccc38a37366fa2e187128c2503e6bbbce845474136f705aa72db35803599a7291f20a039b6542d71daef96dab185aeea52455b6ddccef
SSDEEP

6144:KMy+bnr+Qp0yN90QE/Ml7Vo2dT6c0C752jb4ueelteAYW9D:EMrMy90BMb7dJdl2jb4C8W9D

Score

10^/10

amadey mystic persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

1
006700e5a2ab05704bbb0c589b88924d

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231d8-18.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	l0360849.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 5 IoCs

pid	Process
208	l0360849.exe
4100	explonde.exe
2320	m8875008.exe
3592	explonde.exe
5040	explonde.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2808	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 208	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	85
PID 3520 wrote to memory of 208	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	85
PID 3520 wrote to memory of 208	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	85
PID 208 wrote to memory of 4100	208	l0360849.exe	86
PID 208 wrote to memory of 4100	208	l0360849.exe	86
PID 208 wrote to memory of 4100	208	l0360849.exe	86
PID 3520 wrote to memory of 2320	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	87
PID 3520 wrote to memory of 2320	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	87
PID 3520 wrote to memory of 2320	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	87
PID 4100 wrote to memory of 2808	4100	explonde.exe	88
PID 4100 wrote to memory of 2808	4100	explonde.exe	88
PID 4100 wrote to memory of 2808	4100	explonde.exe	88
PID 4100 wrote to memory of 1712	4100	explonde.exe	90
PID 4100 wrote to memory of 1712	4100	explonde.exe	90
PID 4100 wrote to memory of 1712	4100	explonde.exe	90
PID 1712 wrote to memory of 2616	1712	cmd.exe	92
PID 1712 wrote to memory of 2616	1712	cmd.exe	92
PID 1712 wrote to memory of 2616	1712	cmd.exe	92
PID 1712 wrote to memory of 872	1712	cmd.exe	93
PID 1712 wrote to memory of 872	1712	cmd.exe	93
PID 1712 wrote to memory of 872	1712	cmd.exe	93
PID 1712 wrote to memory of 1924	1712	cmd.exe	94
PID 1712 wrote to memory of 1924	1712	cmd.exe	94
PID 1712 wrote to memory of 1924	1712	cmd.exe	94
PID 1712 wrote to memory of 2124	1712	cmd.exe	95
PID 1712 wrote to memory of 2124	1712	cmd.exe	95
PID 1712 wrote to memory of 2124	1712	cmd.exe	95
PID 1712 wrote to memory of 4908	1712	cmd.exe	96
PID 1712 wrote to memory of 4908	1712	cmd.exe	96
PID 1712 wrote to memory of 4908	1712	cmd.exe	96
PID 1712 wrote to memory of 4936	1712	cmd.exe	97
PID 1712 wrote to memory of 4936	1712	cmd.exe	97
PID 1712 wrote to memory of 4936	1712	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe
"C:\Users\Admin\AppData\Local\Temp\e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
    "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2616
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        5⤵
        
        PID:872
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        5⤵
        
        PID:4908
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        5⤵
        
        PID:4936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe
  2⤵
  - Executes dropped EXE
  PID:2320

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:5040

Network

DNS

178.223.142.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.223.142.52.in-addr.arpa

IN PTR

Response
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR

Response

140.71.91.104.in-addr.arpa

IN PTR

a104-91-71-140deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response

77.91.68.52:80

explonde.exe

260 B
5
77.91.68.52:80

explonde.exe

260 B
5
77.91.68.52:80

explonde.exe

260 B
5

8.8.8.8:53

178.223.142.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

178.223.142.52.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

140.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

140.71.91.104.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe

Filesize
219KB

MD5
13eee1f46859b85907d82b14ddf0caa7

SHA1
d4c157df5ab479f3c2f43cb5ebdadcb504689693

SHA256
489999b8af918ee1d16e19519ebdc80c65b9950ce1411e1dce0f884434683f60

SHA512
d1b6a7cfa485e33be97f903e7eb2473f1dd1bb25cff45792589d4b416b01c4634ed5791e227eb28627c82ccc17322df7f951466d4a31652a58299f5d423b23d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe

Filesize
141KB

MD5
a1fc6f1ac5d2b8e23b357116062fbc2f

SHA1
61e971e0e06954dad2fcaac014a302c0cdbf6985

SHA256
383126e4814f381d663aa1a90bc686edbb5e93cff42a3c38b61d9e45a2cf8ad5

SHA512
e894c0c27743e513f43e21d57eaacf5ad7255c2370101d289dee80e41cab6dfcf7dba601f4d35344f89bddfb7533678155b437bc2db2d7227c42c07ed4b9a78d

Download Submit