amadey | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe
Size

1.3MB
MD5

7897a8a6ebf8c162b11b148555d5c616
SHA1

60992a6f05358dc6150f7c42a8b5bb42266e6e6b
SHA256

059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e
SHA512

9b37ae7168063fbf820682d3935242bf3254d1eace417b9206da7e7ea3bec26aa003cdb5347d39d2ae446f73ea77ddf5fddb7cb3e09c5bacada9863d9f9d3b34
SSDEEP

24576:Oy/HLy2splQy14Pz413AxpZz1MqkaZEouZugKp3:d/ry2oDWPzG3uR1MqkfZ

Score

10^/10

amadey mystic redline fb0fb8 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1041178.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2300833.exe	family_redline
behavioral3/memory/1876-43-0x0000000000FC0000-0x0000000000FF0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l0097372.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	l0097372.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 9 IoCs

Processes:

y1046607.exey5252126.exey6491506.exel0097372.exeexplonde.exem1041178.exen2300833.exeexplonde.exeexplonde.exe

pid	process
2996	y1046607.exe
3076	y5252126.exe
3448	y6491506.exe
4252	l0097372.exe
4812	explonde.exe
2416	m1041178.exe
1876	n2300833.exe
1452	explonde.exe
4380	explonde.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y5252126.exey6491506.exe059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exey1046607.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5252126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y6491506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1046607.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1332 schtasks.exe

pid	process
1332	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exey1046607.exey5252126.exey6491506.exel0097372.exeexplonde.execmd.exe

description	pid	process	target process
PID 4860 wrote to memory of 2996	4860	059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe	y1046607.exe
PID 4860 wrote to memory of 2996	4860	059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe	y1046607.exe
PID 4860 wrote to memory of 2996	4860	059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe	y1046607.exe
PID 2996 wrote to memory of 3076	2996	y1046607.exe	y5252126.exe
PID 2996 wrote to memory of 3076	2996	y1046607.exe	y5252126.exe
PID 2996 wrote to memory of 3076	2996	y1046607.exe	y5252126.exe
PID 3076 wrote to memory of 3448	3076	y5252126.exe	y6491506.exe
PID 3076 wrote to memory of 3448	3076	y5252126.exe	y6491506.exe
PID 3076 wrote to memory of 3448	3076	y5252126.exe	y6491506.exe
PID 3448 wrote to memory of 4252	3448	y6491506.exe	l0097372.exe
PID 3448 wrote to memory of 4252	3448	y6491506.exe	l0097372.exe
PID 3448 wrote to memory of 4252	3448	y6491506.exe	l0097372.exe
PID 4252 wrote to memory of 4812	4252	l0097372.exe	explonde.exe
PID 4252 wrote to memory of 4812	4252	l0097372.exe	explonde.exe
PID 4252 wrote to memory of 4812	4252	l0097372.exe	explonde.exe
PID 3448 wrote to memory of 2416	3448	y6491506.exe	m1041178.exe
PID 3448 wrote to memory of 2416	3448	y6491506.exe	m1041178.exe
PID 3448 wrote to memory of 2416	3448	y6491506.exe	m1041178.exe
PID 3076 wrote to memory of 1876	3076	y5252126.exe	n2300833.exe
PID 3076 wrote to memory of 1876	3076	y5252126.exe	n2300833.exe
PID 3076 wrote to memory of 1876	3076	y5252126.exe	n2300833.exe
PID 4812 wrote to memory of 1332	4812	explonde.exe	schtasks.exe
PID 4812 wrote to memory of 1332	4812	explonde.exe	schtasks.exe
PID 4812 wrote to memory of 1332	4812	explonde.exe	schtasks.exe
PID 4812 wrote to memory of 2016	4812	explonde.exe	cmd.exe
PID 4812 wrote to memory of 2016	4812	explonde.exe	cmd.exe
PID 4812 wrote to memory of 2016	4812	explonde.exe	cmd.exe
PID 2016 wrote to memory of 4952	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 4952	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 4952	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2796	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 2796	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 2796	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 5068	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 5068	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 5068	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 5116	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 5116	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 5116	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 3972	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 3972	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 3972	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 560	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 560	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 560	2016	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe
"C:\Users\Admin\AppData\Local\Temp\059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1046607.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1046607.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5252126.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5252126.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6491506.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6491506.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l0097372.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l0097372.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        8⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        8⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        8⤵
        
        PID:560
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1041178.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1041178.exe
        5⤵
        Executes dropped EXE
        
        PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2300833.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2300833.exe
      4⤵
      Executes dropped EXE
      PID:1876

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1046607.exe

Filesize
1.2MB

MD5
1e9a27aa9157170b437e05ae18507821

SHA1
e3c088ffa8852292747489b906b9b84c325d750d

SHA256
2b5b290d9fd8b03155e0d1ee86a9f001aef68b3c6881ef9de54853f3ef0de438

SHA512
3a337a75494dbed1c30a092caa1a5ed6a41eeb73e8d4c9f5a87206f757cdc0818e5f0d3495c87a47417f1bc9f0142bd4543ae3e6c083e1898b656e05d68efd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5252126.exe

Filesize
434KB

MD5
6d040370483bbc6f04183e953b0af85a

SHA1
fea9bf0bf465a390ddc92cd9e3b7e6ea4617f7d4

SHA256
e8f2bb49e38541dc2b99455b42a7ffc4dec76b2dc45bb6804d76fc13ee406229

SHA512
240d84b822469eaf09099f3b546c35b2d990937b11973612bc9828545cf43884208ed6937c0a1d73e277cfeedb030b0ba3f86334b6a6f15c3312b4896603d35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2300833.exe

Filesize
175KB

MD5
c9e0023d107132671a9f96713906d45f

SHA1
c0e7957dc4c543ca0901ad12b61c5dbc1adc51bc

SHA256
11e8531637f40c8e85155faec54b4f35d335c8c852e633832efb680d89529086

SHA512
812fcd7e1cca5ea28f062358eebb3dfd57b5d0adff0a442a7803d48a8b57bf881151712cc82945561e21eb05cf1bec6a610b39276a8a61056ba18b0e332c3330

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6491506.exe

Filesize
279KB

MD5
b23b673f32d9d279165aaff685f579d7

SHA1
af45a41be1b7264e00695452a3ca8b540e41ead5

SHA256
3be0de8caf72ae50738d4408b005111bfe27de0f506322059553bdbe28ba6f16

SHA512
1b5b24a41f0cc4f43e4c66613c611f8385d0402dbef86d9d141fb0d11316e5c39853225abe017ea854fbaaa2faf3f2d5be9ea22df7ed4dd46cdb8547ff390a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l0097372.exe

Filesize
220KB

MD5
7276c73b538d19d7cae92db68f6f732d

SHA1
6bbc693032f7b825f07bbd684e43617b14f818e7

SHA256
2d67baa155bd29c3ea239132c8b52263560bb2e65b7bb579a964b44c1fdec08c

SHA512
8f6392a0b530b90f2955d431ab1b8b7ad155a13822b749aa4e6bc935ec5178518c1abc8b0af6673a2bf553f618a5500c7cdfa0a149486e099a012a702de2210f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1041178.exe

Filesize
141KB

MD5
dee9f54a9d9c33a56f8f1b2b077557fc

SHA1
6cdd896ae974891b3c96105d333e59d2d26b403f

SHA256
2ad8f8a9affbb5ce21e2518fecaf04e2d4fca93cb454e8ee5b6624b0185f0fae

SHA512
da83b213c1a397eeb729b04e9cb5c28cef3dfd4eb6b9cb937932f81c97ee0494839d7bdf8572134f9aa7c4cddc28c71646249d70365298e22b9ca77ca0008c8b

Download Submit
memory/1876-43-0x0000000000FC0000-0x0000000000FF0000-memory.dmp

Filesize
192KB

Download
memory/1876-44-0x0000000003350000-0x0000000003356000-memory.dmp

Filesize
24KB

Download
memory/1876-45-0x0000000005F40000-0x0000000006558000-memory.dmp

Filesize
6.1MB

Download
memory/1876-46-0x0000000005A30000-0x0000000005B3A000-memory.dmp

Filesize
1.0MB

Download
memory/1876-47-0x0000000005940000-0x0000000005952000-memory.dmp

Filesize
72KB

Download
memory/1876-48-0x00000000059A0000-0x00000000059DC000-memory.dmp

Filesize
240KB

Download
memory/1876-49-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download