amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe
Size

600KB
MD5

520164b716b018381b9c742d869b32e4
SHA1

c106a10d377bf9b4bb5a4fe99565e2a3805eca05
SHA256

c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351
SHA512

fa004fa2f7170cd50a2ddca65dc26d9ab732ee6f1db843458215827f5ee26f102730e0bbf616276c42643224eef2205fc4d14238c9838d3cdd5a3c58e9316c9e
SSDEEP

12288:bMrRy90DursHSHejS8J0CUKR/e7tRJKRoEXMp71vTkMFnhCF2ZR:+yppH6J1UqG7tXKqE81IMFnhd/

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2486638.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2507380.exe	family_redline
behavioral13/memory/3544-36-0x00000000009E0000-0x0000000000A10000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b0591715.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	b0591715.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 8 IoCs

Processes:

v9458983.exev0295738.exeb0591715.exesaves.exec2486638.exed2507380.exesaves.exesaves.exe

pid process

4608 v9458983.exe
2972 v0295738.exe
2436 b0591715.exe
1760 saves.exe
3168 c2486638.exe
3544 d2507380.exe
2136 saves.exe
2964 saves.exe

pid	process
4608	v9458983.exe
2972	v0295738.exe
2436	b0591715.exe
1760	saves.exe
3168	c2486638.exe
3544	d2507380.exe
2136	saves.exe
2964	saves.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exev9458983.exev0295738.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9458983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0295738.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3720 schtasks.exe

pid	process
3720	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exev9458983.exev0295738.exeb0591715.exesaves.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 4608	1060	c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe	v9458983.exe
PID 1060 wrote to memory of 4608	1060	c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe	v9458983.exe
PID 1060 wrote to memory of 4608	1060	c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe	v9458983.exe
PID 4608 wrote to memory of 2972	4608	v9458983.exe	v0295738.exe
PID 4608 wrote to memory of 2972	4608	v9458983.exe	v0295738.exe
PID 4608 wrote to memory of 2972	4608	v9458983.exe	v0295738.exe
PID 2972 wrote to memory of 2436	2972	v0295738.exe	b0591715.exe
PID 2972 wrote to memory of 2436	2972	v0295738.exe	b0591715.exe
PID 2972 wrote to memory of 2436	2972	v0295738.exe	b0591715.exe
PID 2436 wrote to memory of 1760	2436	b0591715.exe	saves.exe
PID 2436 wrote to memory of 1760	2436	b0591715.exe	saves.exe
PID 2436 wrote to memory of 1760	2436	b0591715.exe	saves.exe
PID 2972 wrote to memory of 3168	2972	v0295738.exe	c2486638.exe
PID 2972 wrote to memory of 3168	2972	v0295738.exe	c2486638.exe
PID 2972 wrote to memory of 3168	2972	v0295738.exe	c2486638.exe
PID 4608 wrote to memory of 3544	4608	v9458983.exe	d2507380.exe
PID 4608 wrote to memory of 3544	4608	v9458983.exe	d2507380.exe
PID 4608 wrote to memory of 3544	4608	v9458983.exe	d2507380.exe
PID 1760 wrote to memory of 3720	1760	saves.exe	schtasks.exe
PID 1760 wrote to memory of 3720	1760	saves.exe	schtasks.exe
PID 1760 wrote to memory of 3720	1760	saves.exe	schtasks.exe
PID 1760 wrote to memory of 2164	1760	saves.exe	cmd.exe
PID 1760 wrote to memory of 2164	1760	saves.exe	cmd.exe
PID 1760 wrote to memory of 2164	1760	saves.exe	cmd.exe
PID 2164 wrote to memory of 3616	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 3616	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 3616	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 1656	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 1656	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 1656	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 1456	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 1456	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 1456	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 1624	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 1624	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 1624	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 3240	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 3240	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 3240	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 904	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 904	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 904	2164	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe
"C:\Users\Admin\AppData\Local\Temp\c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9458983.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9458983.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0295738.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0295738.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0591715.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0591715.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
6⤵
- Creates scheduled task(s)
PID:3720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3616

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
7⤵
PID:1656

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
7⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1624

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
7⤵
PID:3240

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
7⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2486638.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2486638.exe
4⤵
- Executes dropped EXE
PID:3168

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2507380.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2507380.exe
3⤵
- Executes dropped EXE
PID:3544

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9458983.exe
Filesize
475KB

MD5
152be6dc3e3ccd1bc9f0fdf2033e9a81

SHA1
e7432f9eb98748a8a68ce93b7ca363168c4c8677

SHA256
ca03e60732df4afd5969e84e6db30e11bab5c4fbcf618d0e915f837674239246

SHA512
930c35ce01fcdbb27b4df2f03aa9e1d67b365e6dd68688b6931fc116a68c5280ad0a41d1eda55ba385e0cf62298debe2cc619d0eeb9cf520f66eae08adf47670

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2507380.exe
Filesize
173KB

MD5
b062d96eb919297b78f016956855fde0

SHA1
1ae84c34ea5a75c07b89b7915109f3a2dbcf5a77

SHA256
08dbb78c0f12265379a92a96f4b4c56525b38085980a01c9e0364b84ca0d9d0b

SHA512
6e4ae0b21e8c7ac12d690312af08a7dc5a0701b9f33ee5618fca61b69aa7366a5d7e477357e8d0f33aac0d39c6ac23836247368f652dfcfd96149cac1cc4ad8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0295738.exe
Filesize
320KB

MD5
93b72c415cc08f25749411c68039a944

SHA1
307e6bfd65f62bfe485975238b60e55ee5539873

SHA256
cf88419bd50abc18e7b3c7a3288d1976053683d619e8973b36f50f949f5668ab

SHA512
f84b302ac85c5aaf8109fb4de3211a2e9297fbead28480334583c5f9a8b6f3f06a04d4ceb54e480288191ebf96f0a6380802d229bc658f34385c1aa6caf682a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0591715.exe
Filesize
336KB

MD5
0dfca66dc01e0314eb1c24296b05c7f4

SHA1
003e1a0aabbbfc82b46f08acdf3200aa38158fee

SHA256
74ea8eade0a55034b274686145a79a4d0c5dcadb49d233232abc546a16a096bc

SHA512
4822b911b57a95f3a280a89ecdb0ef5b93c068754183f42ed62517ba5e6a22f2fe96a67a7fc2aae0c0fd090dcfaf83d0461e015264ffbd0e46aeaa7dfef6ed4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2486638.exe
Filesize
141KB

MD5
14b0bdfb92cbae048a423d2481e2be43

SHA1
5848667a85645c2f1c25877d497fb035ea15a88d

SHA256
c41923a6b64bd19873de5721ba0ed69a826a70c02f72bd0520ac06be6afc3ec9

SHA512
50ff07350ae040c5c6c2df5c6dd4c8fc54ef0176519bcfd0307abb107743b7dc3ad6f490447a5d6cfe1b267a43e9c6de7a0d8430e06b71d8dbdae1ada243ea1b

Download Submit
memory/3544-36-0x00000000009E0000-0x0000000000A10000-memory.dmp

Filesize
192KB

Download
memory/3544-37-0x0000000002BD0000-0x0000000002BD6000-memory.dmp

Filesize
24KB

Download
memory/3544-38-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/3544-39-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/3544-40-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/3544-41-0x0000000005500000-0x000000000553C000-memory.dmp

Filesize
240KB

Download
memory/3544-42-0x0000000005690000-0x00000000056DC000-memory.dmp

Filesize
304KB

Download