amadey | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe
Size

1.3MB
MD5

d1f9a12cbe2463928f93af9df2581972
SHA1

9d71be92b4a421e298ae6fc509d326e6fcd3b3c1
SHA256

35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec
SHA512

125939fc5108d907644aea134f4c3a4ec961a3bb1a6111db4863b532ed671f685165154689a14f9bc735ab887d1296aed99f373ab3f98c1a0f9a590d52a41e83
SSDEEP

24576:by9RXWCPEo9sN4cLWpA7eCKs6Rg8m/ZWOBjSYK9SvBsn64boafIBQ01K0Vry:O9RXWSEo9smcL++cs6inHBjSBA+rpk

Score

10^/10

amadey mystic redline fb0fb8 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m5176152.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4997969.exe	family_redline
behavioral4/memory/1760-43-0x0000000000250000-0x0000000000280000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l1296671.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	l1296671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 10 IoCs

Processes:

y5819175.exey0598187.exey5500197.exel1296671.exeexplonde.exem5176152.exen4997969.exeexplonde.exeexplonde.exeexplonde.exe

pid	process
4156	y5819175.exe
1364	y0598187.exe
4456	y5500197.exe
1276	l1296671.exe
2272	explonde.exe
2032	m5176152.exe
1760	n4997969.exe
5116	explonde.exe
4552	explonde.exe
1056	explonde.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y5500197.exe35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exey5819175.exey0598187.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y5500197.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5819175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0598187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4788 schtasks.exe

pid	process
4788	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exey5819175.exey0598187.exey5500197.exel1296671.exeexplonde.execmd.exe

description	pid	process	target process
PID 3612 wrote to memory of 4156	3612	35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe	y5819175.exe
PID 3612 wrote to memory of 4156	3612	35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe	y5819175.exe
PID 3612 wrote to memory of 4156	3612	35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe	y5819175.exe
PID 4156 wrote to memory of 1364	4156	y5819175.exe	y0598187.exe
PID 4156 wrote to memory of 1364	4156	y5819175.exe	y0598187.exe
PID 4156 wrote to memory of 1364	4156	y5819175.exe	y0598187.exe
PID 1364 wrote to memory of 4456	1364	y0598187.exe	y5500197.exe
PID 1364 wrote to memory of 4456	1364	y0598187.exe	y5500197.exe
PID 1364 wrote to memory of 4456	1364	y0598187.exe	y5500197.exe
PID 4456 wrote to memory of 1276	4456	y5500197.exe	l1296671.exe
PID 4456 wrote to memory of 1276	4456	y5500197.exe	l1296671.exe
PID 4456 wrote to memory of 1276	4456	y5500197.exe	l1296671.exe
PID 1276 wrote to memory of 2272	1276	l1296671.exe	explonde.exe
PID 1276 wrote to memory of 2272	1276	l1296671.exe	explonde.exe
PID 1276 wrote to memory of 2272	1276	l1296671.exe	explonde.exe
PID 4456 wrote to memory of 2032	4456	y5500197.exe	m5176152.exe
PID 4456 wrote to memory of 2032	4456	y5500197.exe	m5176152.exe
PID 4456 wrote to memory of 2032	4456	y5500197.exe	m5176152.exe
PID 1364 wrote to memory of 1760	1364	y0598187.exe	n4997969.exe
PID 1364 wrote to memory of 1760	1364	y0598187.exe	n4997969.exe
PID 1364 wrote to memory of 1760	1364	y0598187.exe	n4997969.exe
PID 2272 wrote to memory of 4788	2272	explonde.exe	schtasks.exe
PID 2272 wrote to memory of 4788	2272	explonde.exe	schtasks.exe
PID 2272 wrote to memory of 4788	2272	explonde.exe	schtasks.exe
PID 2272 wrote to memory of 2404	2272	explonde.exe	cmd.exe
PID 2272 wrote to memory of 2404	2272	explonde.exe	cmd.exe
PID 2272 wrote to memory of 2404	2272	explonde.exe	cmd.exe
PID 2404 wrote to memory of 2520	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2520	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2520	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 4592	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 4592	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 4592	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 3680	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 3680	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 3680	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 4568	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 4568	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 4568	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 1028	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 1028	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 1028	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 1844	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 1844	2404	cmd.exe	cacls.exe
PID 2404 wrote to memory of 1844	2404	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe
"C:\Users\Admin\AppData\Local\Temp\35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5819175.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5819175.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0598187.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0598187.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5500197.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5500197.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1296671.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1296671.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        8⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        8⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        8⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        8⤵
        
        PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m5176152.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m5176152.exe
        5⤵
        Executes dropped EXE
        
        PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4997969.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4997969.exe
      4⤵
      Executes dropped EXE
      PID:1760

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5819175.exe

Filesize
1.2MB

MD5
ac5e91f34cbbf36db18a8686c4a0699e

SHA1
ffd0c05caa8abb8b62f2e295c2de4ca699a08773

SHA256
a598d4f7bb893e669979fe1dcfb20f39ddfafe2819e104834e633ad18df6eede

SHA512
919e50401266f62b48b52ccc3c2a1e48c023f9e12e5075fcdbfb1870cdf93ceef6f431e2f0a3ae6018853574ca3c7fd33a82579aa15e32ea6b318607354ffc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0598187.exe

Filesize
434KB

MD5
f36451207c72f33d6ca31907ab61db21

SHA1
f29364ddd5d34fd486c75b3f4e8fdb96393c43a0

SHA256
1792d13f98d1a8003fd48d754fc49cad8a5fd221ecd08e071fbf41166ca9b4c5

SHA512
e5ca4c0f2f8beaca51fc7dfc576ebcb76f42b8663dccb7077f9de3577ff128ab6be8cac55a44923c5209c7138c08c16b1c9d53da4d8a4a6ab05a95d4d8525de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4997969.exe

Filesize
175KB

MD5
b990afc2893e5a1ac8f09c38db87fd24

SHA1
0058b2ab5476531588b93db0276e0de9e2577083

SHA256
c99b98cf3b36a6ba38773c7d1da85312c96feee8d4489ad984fa6fc012771efe

SHA512
3df6ec43cba8c8c280f93f1234cb5fe8b81f5f27a3b7fa766c79f7d2ef03027b7c775735c2901f99ac71cdde20021c6edde392f49f05114a32681085ad53193e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5500197.exe

Filesize
279KB

MD5
1860359c97adcc0fb54039d68983e735

SHA1
c374e47ee26618d638e8d0d38ed986080f4f2a34

SHA256
2c1a53454cdb3c93d4275741d1748b54d553b493f7a630e4c719ac73c199fc9a

SHA512
0938142996ebaa197ee297fd0347ef6568ae085c82d871dce5f869a9a4397ce6ebfe867e99e950103441ea000b62c4f00fc5aecb5fd25c7888a25685dd43305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1296671.exe

Filesize
220KB

MD5
70d33a5b3b4bffa31324723b548c781d

SHA1
02b9739a982b1fbd6b4e7ba46cedd7240f5950f1

SHA256
69b72d6ea69bb3f832121e1163211a108e658c6943dfd89fe3fadf72493122de

SHA512
4486f85390979a1e647c58b276dc576064c8bbefe77e0bf6cfcdf2cbd2383db26951306f83974f2975077bc0b0c237e1b2200ab400083c29935b3a6585a4cf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m5176152.exe

Filesize
141KB

MD5
74c01e48552336ca838e7c500d9e0c3b

SHA1
d13d1c145066549fcd80010373d520962412a8a1

SHA256
67e37fde308a038c0aaf65716d679f7588fc2ea74c855372ca86f8ec50a3daac

SHA512
7818cfa81976239c7918d8dae5141cb644a07c568136592a97d31b6e6de9050bd9d529720ad0917ec85632b484dd097e59fe61a62aae09b1ca9584b299adccb5

Download Submit
memory/1760-43-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1760-44-0x0000000007040000-0x0000000007046000-memory.dmp

Filesize
24KB

Download
memory/1760-45-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/1760-46-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

Filesize
1.0MB

Download
memory/1760-47-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/1760-48-0x0000000004D60000-0x0000000004D9C000-memory.dmp

Filesize
240KB

Download
memory/1760-49-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

Filesize
304KB

Download