amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe
Size

1.3MB
MD5

5bbe0d4d9a0315328670257d051d24ec
SHA1

703f9e52cfa0752b6fe32ce544542d41c26f3414
SHA256

fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890
SHA512

346a4a5629c810d01660ca7b5fe27ca96b89df01e8fe8966858538ed64e06b35fc3aa6d4f39b7f2edfcad380e33a0e634d48c7eba4da1e928f6d0fee0644c35c
SSDEEP

24576:6ybUKxddkeq9KQxslEr58eZS7EWzWvm9bb+0je8be0QDeBc1:BbZniKQxslE98eZS7LT9b7bCeB

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3894073.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5460327.exe	family_redline
behavioral20/memory/2968-43-0x0000000000610000-0x0000000000640000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l2609937.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	l2609937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 10 IoCs

Processes:

y0492251.exey6886798.exey4786423.exel2609937.exesaves.exem3894073.exen5460327.exesaves.exesaves.exesaves.exe

pid	process
4984	y0492251.exe
4544	y6886798.exe
3944	y4786423.exe
4388	l2609937.exe
5036	saves.exe
624	m3894073.exe
2968	n5460327.exe
400	saves.exe
4396	saves.exe
4644	saves.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y0492251.exey6886798.exey4786423.exefd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0492251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y6886798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y4786423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3124 schtasks.exe

pid	process
3124	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exey0492251.exey6886798.exey4786423.exel2609937.exesaves.execmd.exe

description	pid	process	target process
PID 4220 wrote to memory of 4984	4220	fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe	y0492251.exe
PID 4220 wrote to memory of 4984	4220	fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe	y0492251.exe
PID 4220 wrote to memory of 4984	4220	fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe	y0492251.exe
PID 4984 wrote to memory of 4544	4984	y0492251.exe	y6886798.exe
PID 4984 wrote to memory of 4544	4984	y0492251.exe	y6886798.exe
PID 4984 wrote to memory of 4544	4984	y0492251.exe	y6886798.exe
PID 4544 wrote to memory of 3944	4544	y6886798.exe	y4786423.exe
PID 4544 wrote to memory of 3944	4544	y6886798.exe	y4786423.exe
PID 4544 wrote to memory of 3944	4544	y6886798.exe	y4786423.exe
PID 3944 wrote to memory of 4388	3944	y4786423.exe	l2609937.exe
PID 3944 wrote to memory of 4388	3944	y4786423.exe	l2609937.exe
PID 3944 wrote to memory of 4388	3944	y4786423.exe	l2609937.exe
PID 4388 wrote to memory of 5036	4388	l2609937.exe	saves.exe
PID 4388 wrote to memory of 5036	4388	l2609937.exe	saves.exe
PID 4388 wrote to memory of 5036	4388	l2609937.exe	saves.exe
PID 3944 wrote to memory of 624	3944	y4786423.exe	m3894073.exe
PID 3944 wrote to memory of 624	3944	y4786423.exe	m3894073.exe
PID 3944 wrote to memory of 624	3944	y4786423.exe	m3894073.exe
PID 4544 wrote to memory of 2968	4544	y6886798.exe	n5460327.exe
PID 4544 wrote to memory of 2968	4544	y6886798.exe	n5460327.exe
PID 4544 wrote to memory of 2968	4544	y6886798.exe	n5460327.exe
PID 5036 wrote to memory of 3124	5036	saves.exe	schtasks.exe
PID 5036 wrote to memory of 3124	5036	saves.exe	schtasks.exe
PID 5036 wrote to memory of 3124	5036	saves.exe	schtasks.exe
PID 5036 wrote to memory of 3752	5036	saves.exe	cmd.exe
PID 5036 wrote to memory of 3752	5036	saves.exe	cmd.exe
PID 5036 wrote to memory of 3752	5036	saves.exe	cmd.exe
PID 3752 wrote to memory of 5108	3752	cmd.exe	cmd.exe
PID 3752 wrote to memory of 5108	3752	cmd.exe	cmd.exe
PID 3752 wrote to memory of 5108	3752	cmd.exe	cmd.exe
PID 3752 wrote to memory of 4480	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 4480	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 4480	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 1424	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 1424	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 1424	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 2288	3752	cmd.exe	cmd.exe
PID 3752 wrote to memory of 2288	3752	cmd.exe	cmd.exe
PID 3752 wrote to memory of 2288	3752	cmd.exe	cmd.exe
PID 3752 wrote to memory of 4508	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 4508	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 4508	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 5068	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 5068	3752	cmd.exe	cacls.exe
PID 3752 wrote to memory of 5068	3752	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe
"C:\Users\Admin\AppData\Local\Temp\fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0492251.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0492251.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6886798.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6886798.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4786423.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4786423.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l2609937.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l2609937.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
7⤵
- Creates scheduled task(s)
PID:3124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:5108

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
8⤵
PID:4480

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
8⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:2288

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
8⤵
PID:4508

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
8⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3894073.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3894073.exe
5⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5460327.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5460327.exe
4⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0492251.exe
Filesize
1.1MB

MD5
d8df62ba006d203fcdae94a5bb22ec5f

SHA1
ea41c348a03e065a0d1a9eed29a2c5243188e03c

SHA256
ed2df8cd1b4b2c6dbe0e1fb3db1b73d1a39f6f571faa5b52fcf5f02825372b1d

SHA512
cd409889eeee089a849de53a25e8de9a55458c075783a285a98b344a359cd67c13a21c1a2d0f878383ba39e45213ec7fc8c4261aa226e6ef2d9fe32c9b74bea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6886798.exe
Filesize
476KB

MD5
c1c525f56170b66ce0b62e62deeaaf10

SHA1
a7993c38e8fb39ed28180484c6d50f0a27428364

SHA256
662ec7617cfc790b4eb1030be263c063494c500d699a9eace182a80efe854b60

SHA512
140b189b935bddae084a8751699e4e5b91153939c7f4b9f420f6221c08e490d331d1dcad8f7dd561ecba7eeae258f806b56e0b45c333c721c4bf834b09de19a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5460327.exe
Filesize
174KB

MD5
7bf53d19d3bdb53fa71edc166020e189

SHA1
d72d448ec107b3d785039d8163d3236123a1ae7e

SHA256
558b08eb78f66183a4f6d17dfc194cd0e80d7c476c231618174386f069b7ff04

SHA512
79b0f5206b5811a1d0776457cd1e3f11aed90ca2df68454c1e85a6db92ba0e77e863a5b069f910b098118f31b3a0406962aecbf29a420d93ede0165a992bc405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4786423.exe
Filesize
320KB

MD5
350b6d7235d51f9dcf65b6a23ea04fb2

SHA1
396a6443cbfd1bf487c7a89b47409dab9ec82a32

SHA256
bc991cb6f964c7631ec58666ac5ec1099ab051bdbbd40500445b3ae68db18f68

SHA512
88e82d95fc6946a862bdf13cc41746239277bb516bd31ac3c20dbdf67ce8b4383480b3750fed5f5b792729aacf50c81ad82ba9b33e3756bddb7f773c7356d9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l2609937.exe
Filesize
337KB

MD5
c5fc2e6a7975736ae74f24800f1605fd

SHA1
74396fade6cba489dec536512ef5ba8e42f1c5bc

SHA256
17d891b62d77dca7cd4e0bc3b238b2ae45c83e6efe958e685a2a7c7808091919

SHA512
bed008cce7239f279cba7818f985ebf036a43956f94b029c700cf0c70655da32f8bbf0be2cde604d4f6073f44d98a8f2ce8aa357413d792c92605186a1be3c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3894073.exe
Filesize
142KB

MD5
8487b191bffb0d48d273d6002572ce41

SHA1
d47fcaef926601703727285a1ee8e74c2c736493

SHA256
5de1317cac1d41a387b9f8014c5e5def4231ed2035c14387f685ebd8e62201df

SHA512
d51c8f558215a05e3cd0809a86207303e4164d03feb0f91fa93032a5c2fe9af0ee9e2ce480f2a17e7b154c76f703c2cf300dfd073febc02619071f9ce7a6bd41

Download Submit
memory/2968-43-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/2968-44-0x00000000027F0000-0x00000000027F6000-memory.dmp

Filesize
24KB

Download
memory/2968-45-0x0000000005670000-0x0000000005C88000-memory.dmp

Filesize
6.1MB

Download
memory/2968-46-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/2968-47-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/2968-48-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

Filesize
240KB

Download
memory/2968-49-0x0000000005050000-0x000000000509C000-memory.dmp

Filesize
304KB

Download