amadey | e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16

General

Target

e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe
Size

279KB
MD5

020c54cab2f3ef59732b60d2faef5051
SHA1

7c0a3a19dbc658b841068684e5442d7894ae7eda
SHA256

e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16
SHA512

6820aaf46f29589deafccc38a37366fa2e187128c2503e6bbbce845474136f705aa72db35803599a7291f20a039b6542d71daef96dab185aeea52455b6ddccef
SSDEEP

6144:KMy+bnr+Qp0yN90QE/Ml7Vo2dT6c0C752jb4ueelteAYW9D:EMrMy90BMb7dJdl2jb4C8W9D

Score

10^/10

amadey mystic persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l0360849.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	l0360849.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 5 IoCs

Processes:

l0360849.exeexplonde.exem8875008.exeexplonde.exeexplonde.exe

pid process

208 l0360849.exe
4100 explonde.exe
2320 m8875008.exe
3592 explonde.exe
5040 explonde.exe

pid	process
208	l0360849.exe
4100	explonde.exe
2320	m8875008.exe
3592	explonde.exe
5040	explonde.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2808 schtasks.exe

pid	process
2808	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exel0360849.exeexplonde.execmd.exe

description	pid	process	target process
PID 3520 wrote to memory of 208	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	l0360849.exe
PID 3520 wrote to memory of 208	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	l0360849.exe
PID 3520 wrote to memory of 208	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	l0360849.exe
PID 208 wrote to memory of 4100	208	l0360849.exe	explonde.exe
PID 208 wrote to memory of 4100	208	l0360849.exe	explonde.exe
PID 208 wrote to memory of 4100	208	l0360849.exe	explonde.exe
PID 3520 wrote to memory of 2320	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	m8875008.exe
PID 3520 wrote to memory of 2320	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	m8875008.exe
PID 3520 wrote to memory of 2320	3520	e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe	m8875008.exe
PID 4100 wrote to memory of 2808	4100	explonde.exe	schtasks.exe
PID 4100 wrote to memory of 2808	4100	explonde.exe	schtasks.exe
PID 4100 wrote to memory of 2808	4100	explonde.exe	schtasks.exe
PID 4100 wrote to memory of 1712	4100	explonde.exe	cmd.exe
PID 4100 wrote to memory of 1712	4100	explonde.exe	cmd.exe
PID 4100 wrote to memory of 1712	4100	explonde.exe	cmd.exe
PID 1712 wrote to memory of 2616	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 2616	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 2616	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 872	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 872	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 872	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 1924	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 1924	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 1924	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 2124	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 2124	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 2124	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 4908	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 4908	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 4908	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 4936	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 4936	1712	cmd.exe	cacls.exe
PID 1712 wrote to memory of 4936	1712	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe
"C:\Users\Admin\AppData\Local\Temp\e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
4⤵
- Creates scheduled task(s)
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2616

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
5⤵
PID:872

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
5⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2124

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
5⤵
PID:4908

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
5⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe
2⤵
- Executes dropped EXE
PID:2320

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe
Filesize
219KB

MD5
13eee1f46859b85907d82b14ddf0caa7

SHA1
d4c157df5ab479f3c2f43cb5ebdadcb504689693

SHA256
489999b8af918ee1d16e19519ebdc80c65b9950ce1411e1dce0f884434683f60

SHA512
d1b6a7cfa485e33be97f903e7eb2473f1dd1bb25cff45792589d4b416b01c4634ed5791e227eb28627c82ccc17322df7f951466d4a31652a58299f5d423b23d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe
Filesize
141KB

MD5
a1fc6f1ac5d2b8e23b357116062fbc2f

SHA1
61e971e0e06954dad2fcaac014a302c0cdbf6985

SHA256
383126e4814f381d663aa1a90bc686edbb5e93cff42a3c38b61d9e45a2cf8ad5

SHA512
e894c0c27743e513f43e21d57eaacf5ad7255c2370101d289dee80e41cab6dfcf7dba601f4d35344f89bddfb7533678155b437bc2db2d7227c42c07ed4b9a78d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads