Overview

overview

10

Static

static

3

7bf753b3b2...24.exe

windows7-x64

10

7bf753b3b2...24.exe

windows10-1703-x64

10

7bf753b3b2...24.exe

windows10-2004-x64

10

7bf753b3b2...24.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 13:47

240409-q3kvgsbh4v 10

09-04-2024 13:47

240409-q3j8ysbh4t 10

09-04-2024 13:47

240409-q3jx7age85 10

09-04-2024 13:47

240409-q3jbnage84 10

31-08-2023 01:46

230831-b626lsbf9x 10

Analysis

  • max time kernel
    1799s
  • max time network
    1801s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-04-2024 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524.exe

  • Size

    1.4MB

  • MD5

    a5dfba638e1d160071f6b4b3506fe316

  • SHA1

    c284314d0de513cd37a9b01c8e5a9aabe4fd9bb3

  • SHA256

    7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524

  • SHA512

    822fc7b7e4133c6bf8ac58790b327352bee771230c7f67f55c881c80cc4b26d09eb4b16cae0065edb23e1249167a03939a5fd97c3c359a5dc081ddb872b26fc6

  • SSDEEP

    24576:ryTL4TvffA66MEMTOLq5MhObXGcL+HsZzKyOF3kJSNl/jUXFsMeLMKdI/OGmhi3t:eT8T3fA5MEMTOLiycSOK93hIveYYI/Hz

Score
10/10
amadeymysticredlinesrutainfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

sruta

C2

77.91.124.82:19071

Attributes
  • auth_value

    c556edcd49703319eca74247de20c236

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 37 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524.exe
    "C:\Users\Admin\AppData\Local\Temp\7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2806158.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2806158.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4061380.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4061380.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5044543.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5044543.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1481423.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1481423.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4700
            • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
              "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2116
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:3916
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4708
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:4116
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "saves.exe" /P "Admin:N"
                    8⤵
                      PID:2552
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "saves.exe" /P "Admin:R" /E
                      8⤵
                        PID:3392
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:2056
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\b40d11255d" /P "Admin:N"
                          8⤵
                            PID:4088
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\b40d11255d" /P "Admin:R" /E
                            8⤵
                              PID:3560
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3280700.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3280700.exe
                        5⤵
                        • Executes dropped EXE
                        PID:4628
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7852691.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7852691.exe
                      4⤵
                      • Executes dropped EXE
                      PID:1680
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4852
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3316
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:712
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1796
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2828
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3772
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4768
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4932
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1324
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3824
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2876
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1200
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2168
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2280
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2308
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3936
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1288
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2716
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:504
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4428
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1196
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4840
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4652
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2196
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3412
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2948
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:860
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3040
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:504
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3792

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2806158.exe
                Filesize

                1.3MB

                MD5

                f444d350db44153332aec8b6d8c84d4a

                SHA1

                143761c8ec5bf0db418193dd102626aa44166433

                SHA256

                7b61edd23dee370d6938bc4c891473176eb46e46ad570a95a3c8af5b7287504a

                SHA512

                6980b5ad263ee215b6038ff547f77d0e5fd0d754a05e177df766acc2d297d3b39c4f60d2316cd1a90e5fe952be56b53374d49abbf8177688b392e85b698b3b3e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4061380.exe
                Filesize

                475KB

                MD5

                47111c2467fcc57226206434df4aef5f

                SHA1

                2f16a26e8ca33b317a9304eeb19641256263edbd

                SHA256

                500b30b9b08025fddc3de4a8e7f3e240b7ae4667515d13f4c855ac563c68eb74

                SHA512

                228e1c5151079c2e1b2ffca65c4a137e8c3bccdabf5c945ab99bc5acf31d1def7203cb4f49e79d8f061a81fe601f37eaf99ee9ddb94babea428beddf571459bd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7852691.exe
                Filesize

                174KB

                MD5

                a9288b0c28cf6c9f101af480513c0aec

                SHA1

                9e39db8e0f69f2c9fc570fe5bd4f149f6076389b

                SHA256

                bd1e7065344daa64692539e244342eac35904a9f194a7eb75aa985e5cdb5037c

                SHA512

                8633b3e71b022e584d4ebfc69b8a278b7456490d57e14fa702af4aa115b8eb26755ea33c7943cf77319b9af5e2b6c364f7fabc97742dd7c9cf0091ad58c59709

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5044543.exe
                Filesize

                320KB

                MD5

                18e0243bb67ab7a819eab64ddf018649

                SHA1

                518c71661ce38ec4f991d55bee4e360dec8d8024

                SHA256

                cac8af5dededf0a8e40c2c27f39065fd3c49f06040f975fae9f34c5ac10eaee3

                SHA512

                1fdc724077828f4066f048c3afd591023ad4caca1bcd96dd1aa5aeb2667f5606171786bb45b69b03b2f393213f8658f08ec231b3c91e24d91e0c5cdca60145f2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1481423.exe
                Filesize

                325KB

                MD5

                bfa836d65f048633b5ef820e342fdeb2

                SHA1

                958362033cb7c1a01bccd16a4ae3cc9922e6e110

                SHA256

                9fc979774b89cb53f091c6e39d56a3f8fb0ecaae260be2b2cb61089409666539

                SHA512

                2daf8d7a519d97f43fc570a041cabd3c83d2fe45926d7c7b1930da9d75f142bb4eef6b6004f414485833461823f0d71b16005458028ff7ff89f08f87f480f6a5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3280700.exe
                Filesize

                140KB

                MD5

                dde5bb1752b2ca2ee22efd5a5d1e8f54

                SHA1

                813478bf68868d64925d5abcf2146015b24cd531

                SHA256

                d8c3b35ff30d29db325eb12e2fd81784ddec984e8ba23b3b8dfe03c5b84a3fce

                SHA512

                11accf17d9da7d8af7d120da294cfc69f7a6f11795cd7c01d65295d49afa16a65ffd17a3c10f9af781808bf72d9aae239d72281ec8dc19020bffcc7b7f974304

                Download Submit

              • memory/1680-40-0x0000000000A70000-0x0000000000AA0000-memory.dmp

                Filesize

                192KB

                Download

              • memory/1680-41-0x0000000071F00000-0x00000000725EE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/1680-42-0x0000000002D30000-0x0000000002D36000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1680-43-0x000000000AE40000-0x000000000B446000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/1680-44-0x000000000A940000-0x000000000AA4A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1680-45-0x0000000005420000-0x0000000005432000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1680-46-0x000000000A830000-0x000000000A86E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1680-47-0x0000000002DA0000-0x0000000002DEB000-memory.dmp

                Filesize

                300KB

                Download

              • memory/1680-48-0x0000000071F00000-0x00000000725EE000-memory.dmp

                Filesize

                6.9MB

                Download