amadey | fb68898fc1ee1968d2f438649408cbb8854551c7efa6458a5175c462f02fda63

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe
Size

1.2MB
MD5

dcd9239b4bb709fc94e727b9ee27967c
SHA1

8ef4e373ab58a741760183d789277198dfde7ba9
SHA256

4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7
SHA512

1c9d81725cbf5b0eec0ca4c2cd61b4e9d0da644dc6c8d64877c46f11a732f4d3467f212065eef436c9892872a832b865d7d5489a7eeeda90891330ebce036ae0
SSDEEP

24576:AyUqqXwz+yZ7ocKLgR86dxL5R44FKMeeJ6qQp+iRCLP8rxk8T1fxg+n4GA:HUXwz+yZUcKLgRFdxL5WMeeJo4LEk8TX

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4258000.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7482544.exe	family_redline
behavioral6/memory/4984-43-0x0000000000CD0000-0x0000000000D00000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

saves.exel3349439.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	saves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	l3349439.exe

Executes dropped EXE 10 IoCs

Processes:

y9077140.exey3076544.exey0868718.exel3349439.exesaves.exem4258000.exen7482544.exesaves.exesaves.exesaves.exe

pid	process
2460	y9077140.exe
3804	y3076544.exe
4192	y0868718.exe
1360	l3349439.exe
752	saves.exe
4728	m4258000.exe
4984	n7482544.exe
1852	saves.exe
1600	saves.exe
3828	saves.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y3076544.exey0868718.exe4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exey9077140.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3076544.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y0868718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9077140.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4196 schtasks.exe

pid	process
4196	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exey9077140.exey3076544.exey0868718.exel3349439.exesaves.execmd.exe

description	pid	process	target process
PID 5096 wrote to memory of 2460	5096	4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe	y9077140.exe
PID 5096 wrote to memory of 2460	5096	4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe	y9077140.exe
PID 5096 wrote to memory of 2460	5096	4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe	y9077140.exe
PID 2460 wrote to memory of 3804	2460	y9077140.exe	y3076544.exe
PID 2460 wrote to memory of 3804	2460	y9077140.exe	y3076544.exe
PID 2460 wrote to memory of 3804	2460	y9077140.exe	y3076544.exe
PID 3804 wrote to memory of 4192	3804	y3076544.exe	y0868718.exe
PID 3804 wrote to memory of 4192	3804	y3076544.exe	y0868718.exe
PID 3804 wrote to memory of 4192	3804	y3076544.exe	y0868718.exe
PID 4192 wrote to memory of 1360	4192	y0868718.exe	l3349439.exe
PID 4192 wrote to memory of 1360	4192	y0868718.exe	l3349439.exe
PID 4192 wrote to memory of 1360	4192	y0868718.exe	l3349439.exe
PID 1360 wrote to memory of 752	1360	l3349439.exe	saves.exe
PID 1360 wrote to memory of 752	1360	l3349439.exe	saves.exe
PID 1360 wrote to memory of 752	1360	l3349439.exe	saves.exe
PID 4192 wrote to memory of 4728	4192	y0868718.exe	m4258000.exe
PID 4192 wrote to memory of 4728	4192	y0868718.exe	m4258000.exe
PID 4192 wrote to memory of 4728	4192	y0868718.exe	m4258000.exe
PID 3804 wrote to memory of 4984	3804	y3076544.exe	n7482544.exe
PID 3804 wrote to memory of 4984	3804	y3076544.exe	n7482544.exe
PID 3804 wrote to memory of 4984	3804	y3076544.exe	n7482544.exe
PID 752 wrote to memory of 4196	752	saves.exe	schtasks.exe
PID 752 wrote to memory of 4196	752	saves.exe	schtasks.exe
PID 752 wrote to memory of 4196	752	saves.exe	schtasks.exe
PID 752 wrote to memory of 1388	752	saves.exe	cmd.exe
PID 752 wrote to memory of 1388	752	saves.exe	cmd.exe
PID 752 wrote to memory of 1388	752	saves.exe	cmd.exe
PID 1388 wrote to memory of 4560	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 4560	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 4560	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1980	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 1980	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 1980	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 4252	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 4252	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 4252	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 4680	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 4680	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 4680	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 2172	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 2172	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 2172	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 364	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 364	1388	cmd.exe	cacls.exe
PID 1388 wrote to memory of 364	1388	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe
"C:\Users\Admin\AppData\Local\Temp\4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9077140.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9077140.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3076544.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3076544.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0868718.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0868718.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l3349439.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l3349439.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
7⤵
- Creates scheduled task(s)
PID:4196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4560

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
8⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
8⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4680

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
8⤵
PID:2172

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
8⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4258000.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4258000.exe
5⤵
- Executes dropped EXE
PID:4728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7482544.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7482544.exe
4⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9077140.exe
Filesize
1.1MB

MD5
6c5629162c8404822ccc15b2c58ece70

SHA1
508a02ed32266dc74810e0a1e4820bca4ed82dc3

SHA256
79d234cd978fb4b1532633309a5079a8c6916791a27bae598c69a49257c72264

SHA512
a6fbc71a10fe3e5c056ab86915dbc2b85f823f164226f805144b40af31ad9e837f8a7e846c10ab620f2b422ea030de60dc3a749bac30cdb2b7397f923c658bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3076544.exe
Filesize
475KB

MD5
0c2fc1a1074e1b48e74f671d826438c4

SHA1
d32d61c3b7b9d39da08e7c8564acd9f38274d730

SHA256
93d4e6083e31f1757777b7ccaaa9537677b632e06202c1af36dae9b7d10252a9

SHA512
ee782aecca70529fc292377b71aef82c650485682c1c236db3ca79eb9086605424a9dd1c85e102b064e95f4a809bc8e60a7be9547ebb9e6f49fb497de95ee498

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7482544.exe
Filesize
174KB

MD5
b841b67fe0267b0f91658e604b2d972c

SHA1
733d473c0c96d1b749866f63fe6c5727217d9d97

SHA256
fa8cd02ef80c12e3bf9b6d16317181ff7208b4c6584a9894cd270109f3a6455e

SHA512
6e8229fbb16e9004226ba9e7eb48b3f95dba7b6415cf17c5e6c2f4896b6e7eaba42bb37573abc271eb0f7724ec287e0ea995e9b9d41da3374cf231fe4e309fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0868718.exe
Filesize
319KB

MD5
cbffa97af79a8a71ace90f125bd19853

SHA1
8004dc02abe1891faf93fef8cfd508a890958dd1

SHA256
ac6327eb3c3155fa64ff851c7c07b6c07c63ac0c430c010452657657d1b6d38d

SHA512
778f9fe27a47741e482f9979cc799ac9dbe8724eca7d97f6648590dd43dc347e51053ef1390105bee756e529c3c6a1bb59199e54261cb00dfa079cfd68f6afd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l3349439.exe
Filesize
337KB

MD5
ec69365719ae7b104380ce1f4625cb73

SHA1
fabc244540a28c16c8bee3d13121559f1191fcf2

SHA256
1fcc7d20ba3469da25be3c7e9ad9b7f51e2a1a19af1ce00a223ec25b5501daaf

SHA512
163aa5d05945e63d80f42b484ba531bcec4b966b04c046c93ba1c87947f955d8aef1ef76c3095ad3a03beed4c0eb5fa98871ccf3a05ca92706d957276b716bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4258000.exe
Filesize
142KB

MD5
89d575bec105c59389672a253e97d0a0

SHA1
6cd99bc5c44a9a3783d39ba681809a98e4c03473

SHA256
89219073267b666e9bc4c2985b34a1639bce0fab011846bb69dc5e6a078239f3

SHA512
78be1fca5f43fae5f36793234244e30226c94c88c78cb6a0b77a64d8110336744f9f73a13921f5bd3ea4184cbc1f00ada6352a0f5027812d4834ac3620d3c4d6

Download Submit
memory/4984-43-0x0000000000CD0000-0x0000000000D00000-memory.dmp

Filesize
192KB

Download
memory/4984-44-0x0000000002E80000-0x0000000002E86000-memory.dmp

Filesize
24KB

Download
memory/4984-45-0x0000000005C70000-0x0000000006288000-memory.dmp

Filesize
6.1MB

Download
memory/4984-46-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/4984-47-0x0000000005650000-0x0000000005662000-memory.dmp

Filesize
72KB

Download
memory/4984-48-0x00000000056B0000-0x00000000056EC000-memory.dmp

Filesize
240KB

Download
memory/4984-49-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download