amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe
Size

582KB
MD5

d65b8e601b5fdb8b40ea6d22fd7e47eb
SHA1

e17ef0d987c09976de4825f1a21113b6924a580b
SHA256

4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f
SHA512

7978421c2c01dc1a1a4cea13772b526dbc69f6b46dd5c2b5e4ab4dd6768edde078f0b1a2816097bfa9e4bdbd5f94b2187cc322511001025364fad40cc034590a
SSDEEP

12288:FMrxy90Ydrzg5EyOuXQCRKR0EXVp7lM1aoxCTKx:EyFdvCEyuCRKaE3l7oGo

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8139848.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4654949.exe	family_redline
behavioral5/memory/4856-36-0x0000000000610000-0x0000000000640000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l2754109.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	l2754109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

Processes:

y6645628.exey2030303.exel2754109.exesaves.exem8139848.exen4654949.exesaves.exesaves.exesaves.exe

pid process

1420 y6645628.exe
2540 y2030303.exe
3972 l2754109.exe
4256 saves.exe
1324 m8139848.exe
4856 n4654949.exe
4480 saves.exe
4812 saves.exe
5076 saves.exe

pid	process
1420	y6645628.exe
2540	y2030303.exe
3972	l2754109.exe
4256	saves.exe
1324	m8139848.exe
4856	n4654949.exe
4480	saves.exe
4812	saves.exe
5076	saves.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exey6645628.exey2030303.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6645628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2030303.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5056 schtasks.exe

pid	process
5056	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exey6645628.exey2030303.exel2754109.exesaves.execmd.exe

description	pid	process	target process
PID 3932 wrote to memory of 1420	3932	4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe	y6645628.exe
PID 3932 wrote to memory of 1420	3932	4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe	y6645628.exe
PID 3932 wrote to memory of 1420	3932	4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe	y6645628.exe
PID 1420 wrote to memory of 2540	1420	y6645628.exe	y2030303.exe
PID 1420 wrote to memory of 2540	1420	y6645628.exe	y2030303.exe
PID 1420 wrote to memory of 2540	1420	y6645628.exe	y2030303.exe
PID 2540 wrote to memory of 3972	2540	y2030303.exe	l2754109.exe
PID 2540 wrote to memory of 3972	2540	y2030303.exe	l2754109.exe
PID 2540 wrote to memory of 3972	2540	y2030303.exe	l2754109.exe
PID 3972 wrote to memory of 4256	3972	l2754109.exe	saves.exe
PID 3972 wrote to memory of 4256	3972	l2754109.exe	saves.exe
PID 3972 wrote to memory of 4256	3972	l2754109.exe	saves.exe
PID 2540 wrote to memory of 1324	2540	y2030303.exe	m8139848.exe
PID 2540 wrote to memory of 1324	2540	y2030303.exe	m8139848.exe
PID 2540 wrote to memory of 1324	2540	y2030303.exe	m8139848.exe
PID 1420 wrote to memory of 4856	1420	y6645628.exe	n4654949.exe
PID 1420 wrote to memory of 4856	1420	y6645628.exe	n4654949.exe
PID 1420 wrote to memory of 4856	1420	y6645628.exe	n4654949.exe
PID 4256 wrote to memory of 5056	4256	saves.exe	schtasks.exe
PID 4256 wrote to memory of 5056	4256	saves.exe	schtasks.exe
PID 4256 wrote to memory of 5056	4256	saves.exe	schtasks.exe
PID 4256 wrote to memory of 3088	4256	saves.exe	cmd.exe
PID 4256 wrote to memory of 3088	4256	saves.exe	cmd.exe
PID 4256 wrote to memory of 3088	4256	saves.exe	cmd.exe
PID 3088 wrote to memory of 2776	3088	cmd.exe	cmd.exe
PID 3088 wrote to memory of 2776	3088	cmd.exe	cmd.exe
PID 3088 wrote to memory of 2776	3088	cmd.exe	cmd.exe
PID 3088 wrote to memory of 224	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 224	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 224	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 1000	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 1000	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 1000	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 3160	3088	cmd.exe	cmd.exe
PID 3088 wrote to memory of 3160	3088	cmd.exe	cmd.exe
PID 3088 wrote to memory of 3160	3088	cmd.exe	cmd.exe
PID 3088 wrote to memory of 4144	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 4144	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 4144	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 4548	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 4548	3088	cmd.exe	cacls.exe
PID 3088 wrote to memory of 4548	3088	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe
"C:\Users\Admin\AppData\Local\Temp\4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6645628.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6645628.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2030303.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2030303.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2754109.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2754109.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
6⤵
- Creates scheduled task(s)
PID:5056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2776

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
7⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
7⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3160

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
7⤵
PID:4144

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
7⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8139848.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8139848.exe
4⤵
- Executes dropped EXE
PID:1324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4654949.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4654949.exe
3⤵
- Executes dropped EXE
PID:4856

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6645628.exe
Filesize
476KB

MD5
92d0c1adfbccf38ea2b0a631797109aa

SHA1
dadaa1c64b467ee8027d9c6b3e328500ee825379

SHA256
de353fac66278087f9f82f2aaace88ed4d71659667e0261b2615aab07ab65398

SHA512
033d48450bb0951909ec96c4b01ff1e2f22491ea7d36fe7a08a17deed81fbc02a5e342ea2118fa392531eea31b9f2d4e0657e36841758df1b754e474db98bfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4654949.exe
Filesize
174KB

MD5
d932b8153ba48e4255771c0b47754b68

SHA1
1b4ffde1dca1b9377620351043a23c64ce483716

SHA256
3b835ea5b8a5848009af9f9f09cabb70137311a6d0c6cc1b840208c2314ab5ec

SHA512
c509259a62830e4062e5e4096025d0c06c172a8d34524e91e4761a425766552d589f238e14fda30841c44bfa7cb60b5f3b0acd45af3639fcb5bdbffae13ea664

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2030303.exe
Filesize
320KB

MD5
6839028e751b165c664579a8c900e75e

SHA1
c3a05176e6e6750df151a5341c921ad94d5453aa

SHA256
f18ff27b7feeb7cb2948a7d7d87d26494c0c9c20f93fb656e65114059706834d

SHA512
d23ee0c0890cb4351b7f598803ced52e47f5c59415ed9c7e2f6cfaab475acbc5e5021f4ad73bd821ed2cdefa5cc80567d98e00b6afd7f5c0f2117871668d6a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2754109.exe
Filesize
338KB

MD5
b1d77a302b5e35899d19395298d9b8a9

SHA1
90877c27b65cce64342540f92df92472286777ea

SHA256
91fba7b3ba1df00d33f363e8bd4b190dd4a1fc8c2da7f801d0fee5da3f02efd2

SHA512
84bdd2179e590b5f18105641342b184e9e383c4b6e202b17a8ad9ec8b771929dca525ec513a1b539145599350f12546eb3674e44d89058a8f73ff3c4c078f027

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8139848.exe
Filesize
140KB

MD5
f2ea9cf6f1c1a8aa515b020b50d8ebaa

SHA1
e9b200bd584ba7f6665d1ca73dc99a57c66cb702

SHA256
87601b2bd8e3c8c0d8f5189001c0a2c625f8703defffd53b92ef99e88c67fd42

SHA512
e871b7d195ecdad3a357dc445cb4f658da13bcb79cd199d20f0df09d01cd52a37179436f3f1d3907c820fa159c368c776893bb0b9484b9931d36f1670b84643e

Download Submit
memory/4856-36-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/4856-37-0x0000000002900000-0x0000000002906000-memory.dmp

Filesize
24KB

Download
memory/4856-38-0x0000000005780000-0x0000000005D98000-memory.dmp

Filesize
6.1MB

Download
memory/4856-40-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/4856-39-0x0000000005270000-0x000000000537A000-memory.dmp

Filesize
1.0MB

Download
memory/4856-41-0x0000000005160000-0x000000000519C000-memory.dmp

Filesize
240KB

Download
memory/4856-42-0x00000000051A0000-0x00000000051EC000-memory.dmp

Filesize
304KB

Download