Overview

overview

10

Static

static

3

7bf753b3b2...24.exe

windows7-x64

10

7bf753b3b2...24.exe

windows10-1703-x64

10

7bf753b3b2...24.exe

windows10-2004-x64

10

7bf753b3b2...24.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 13:47

240409-q3kvgsbh4v 10

09-04-2024 13:47

240409-q3j8ysbh4t 10

09-04-2024 13:47

240409-q3jx7age85 10

09-04-2024 13:47

240409-q3jbnage84 10

31-08-2023 01:46

230831-b626lsbf9x 10

Analysis

  • max time kernel
    1774s
  • max time network
    1790s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-04-2024 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524.exe

  • Size

    1.4MB

  • MD5

    a5dfba638e1d160071f6b4b3506fe316

  • SHA1

    c284314d0de513cd37a9b01c8e5a9aabe4fd9bb3

  • SHA256

    7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524

  • SHA512

    822fc7b7e4133c6bf8ac58790b327352bee771230c7f67f55c881c80cc4b26d09eb4b16cae0065edb23e1249167a03939a5fd97c3c359a5dc081ddb872b26fc6

  • SSDEEP

    24576:ryTL4TvffA66MEMTOLq5MhObXGcL+HsZzKyOF3kJSNl/jUXFsMeLMKdI/OGmhi3t:eT8T3fA5MEMTOLiycSOK93hIveYYI/Hz

Score
10/10
amadeymysticredlinesrutainfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

sruta

C2

77.91.124.82:19071

Attributes
  • auth_value

    c556edcd49703319eca74247de20c236

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 37 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524.exe
    "C:\Users\Admin\AppData\Local\Temp\7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2806158.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2806158.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4061380.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4061380.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4556
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5044543.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5044543.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1481423.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1481423.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1476
            • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
              "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3664
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:1864
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2788
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:2344
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "saves.exe" /P "Admin:N"
                    8⤵
                      PID:1712
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "saves.exe" /P "Admin:R" /E
                      8⤵
                        PID:3572
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:572
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\b40d11255d" /P "Admin:N"
                          8⤵
                            PID:3620
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\b40d11255d" /P "Admin:R" /E
                            8⤵
                              PID:648
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3280700.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3280700.exe
                        5⤵
                        • Executes dropped EXE
                        PID:1400
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7852691.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7852691.exe
                      4⤵
                      • Executes dropped EXE
                      PID:4368
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4868
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4180
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4904
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4536
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1248
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3100
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4640
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3672
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1512
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2244
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2380
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3172
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3480
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1952
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1588
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4524
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1852
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4988
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3528
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2088
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3304
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2468
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3196
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:5020
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4612
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2356
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4764
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:956
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1312
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:616

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2806158.exe
                Filesize

                1.3MB

                MD5

                f444d350db44153332aec8b6d8c84d4a

                SHA1

                143761c8ec5bf0db418193dd102626aa44166433

                SHA256

                7b61edd23dee370d6938bc4c891473176eb46e46ad570a95a3c8af5b7287504a

                SHA512

                6980b5ad263ee215b6038ff547f77d0e5fd0d754a05e177df766acc2d297d3b39c4f60d2316cd1a90e5fe952be56b53374d49abbf8177688b392e85b698b3b3e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4061380.exe
                Filesize

                475KB

                MD5

                47111c2467fcc57226206434df4aef5f

                SHA1

                2f16a26e8ca33b317a9304eeb19641256263edbd

                SHA256

                500b30b9b08025fddc3de4a8e7f3e240b7ae4667515d13f4c855ac563c68eb74

                SHA512

                228e1c5151079c2e1b2ffca65c4a137e8c3bccdabf5c945ab99bc5acf31d1def7203cb4f49e79d8f061a81fe601f37eaf99ee9ddb94babea428beddf571459bd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7852691.exe
                Filesize

                174KB

                MD5

                a9288b0c28cf6c9f101af480513c0aec

                SHA1

                9e39db8e0f69f2c9fc570fe5bd4f149f6076389b

                SHA256

                bd1e7065344daa64692539e244342eac35904a9f194a7eb75aa985e5cdb5037c

                SHA512

                8633b3e71b022e584d4ebfc69b8a278b7456490d57e14fa702af4aa115b8eb26755ea33c7943cf77319b9af5e2b6c364f7fabc97742dd7c9cf0091ad58c59709

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5044543.exe
                Filesize

                320KB

                MD5

                18e0243bb67ab7a819eab64ddf018649

                SHA1

                518c71661ce38ec4f991d55bee4e360dec8d8024

                SHA256

                cac8af5dededf0a8e40c2c27f39065fd3c49f06040f975fae9f34c5ac10eaee3

                SHA512

                1fdc724077828f4066f048c3afd591023ad4caca1bcd96dd1aa5aeb2667f5606171786bb45b69b03b2f393213f8658f08ec231b3c91e24d91e0c5cdca60145f2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1481423.exe
                Filesize

                325KB

                MD5

                bfa836d65f048633b5ef820e342fdeb2

                SHA1

                958362033cb7c1a01bccd16a4ae3cc9922e6e110

                SHA256

                9fc979774b89cb53f091c6e39d56a3f8fb0ecaae260be2b2cb61089409666539

                SHA512

                2daf8d7a519d97f43fc570a041cabd3c83d2fe45926d7c7b1930da9d75f142bb4eef6b6004f414485833461823f0d71b16005458028ff7ff89f08f87f480f6a5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3280700.exe
                Filesize

                140KB

                MD5

                dde5bb1752b2ca2ee22efd5a5d1e8f54

                SHA1

                813478bf68868d64925d5abcf2146015b24cd531

                SHA256

                d8c3b35ff30d29db325eb12e2fd81784ddec984e8ba23b3b8dfe03c5b84a3fce

                SHA512

                11accf17d9da7d8af7d120da294cfc69f7a6f11795cd7c01d65295d49afa16a65ffd17a3c10f9af781808bf72d9aae239d72281ec8dc19020bffcc7b7f974304

                Download Submit

              • memory/4368-45-0x0000000003240000-0x0000000003246000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4368-43-0x0000000000F60000-0x0000000000F90000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4368-44-0x00000000729E0000-0x0000000073191000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4368-46-0x0000000006020000-0x0000000006638000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4368-47-0x0000000005B10000-0x0000000005C1A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4368-48-0x0000000005990000-0x00000000059A2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4368-49-0x00000000059F0000-0x0000000005A00000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4368-50-0x0000000005A00000-0x0000000005A3C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4368-51-0x0000000005A40000-0x0000000005A8C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4368-52-0x00000000729E0000-0x0000000073191000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4368-53-0x00000000059F0000-0x0000000005A00000-memory.dmp

                Filesize

                64KB

                Download