amadey | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe
Size

786KB
MD5

d97d90418a7726a700763296227eb7cc
SHA1

430ecef62ce1eb2830d0e197a94c211d4f94ba8f
SHA256

a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b
SHA512

9d55808e50e6a79a5534d934bba7de7d337fab4cf4abbb6b5e96e324b9eedf8503e89b4045d43029fea43a417db599abe8335b82c9b94c97eca479174510e6c8
SSDEEP

12288:fMrCy905rSmfpxFMSmWGsUKenqO5tD20+6mf1KRpsXZp79yOQxhLY2k0Uy7Z1:hyGdfFMOoDtmf1Krsj0h02k9y1

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral13/files/0x000700000002342f-38.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x000700000002342c-41.dat	family_redline
behavioral13/memory/4652-43-0x00000000005D0000-0x0000000000600000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	b9618356.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 10 IoCs

pid	Process
5024	v2449602.exe
4720	v9512729.exe
2404	v0518184.exe
2524	b9618356.exe
388	saves.exe
1120	c6017579.exe
4652	d0205995.exe
2116	saves.exe
576	saves.exe
1604	saves.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2449602.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9512729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0518184.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4564	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 5024	2672	a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe	83
PID 2672 wrote to memory of 5024	2672	a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe	83
PID 2672 wrote to memory of 5024	2672	a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe	83
PID 5024 wrote to memory of 4720	5024	v2449602.exe	84
PID 5024 wrote to memory of 4720	5024	v2449602.exe	84
PID 5024 wrote to memory of 4720	5024	v2449602.exe	84
PID 4720 wrote to memory of 2404	4720	v9512729.exe	86
PID 4720 wrote to memory of 2404	4720	v9512729.exe	86
PID 4720 wrote to memory of 2404	4720	v9512729.exe	86
PID 2404 wrote to memory of 2524	2404	v0518184.exe	87
PID 2404 wrote to memory of 2524	2404	v0518184.exe	87
PID 2404 wrote to memory of 2524	2404	v0518184.exe	87
PID 2524 wrote to memory of 388	2524	b9618356.exe	89
PID 2524 wrote to memory of 388	2524	b9618356.exe	89
PID 2524 wrote to memory of 388	2524	b9618356.exe	89
PID 2404 wrote to memory of 1120	2404	v0518184.exe	90
PID 2404 wrote to memory of 1120	2404	v0518184.exe	90
PID 2404 wrote to memory of 1120	2404	v0518184.exe	90
PID 4720 wrote to memory of 4652	4720	v9512729.exe	91
PID 4720 wrote to memory of 4652	4720	v9512729.exe	91
PID 4720 wrote to memory of 4652	4720	v9512729.exe	91
PID 388 wrote to memory of 4564	388	saves.exe	92
PID 388 wrote to memory of 4564	388	saves.exe	92
PID 388 wrote to memory of 4564	388	saves.exe	92
PID 388 wrote to memory of 4672	388	saves.exe	94
PID 388 wrote to memory of 4672	388	saves.exe	94
PID 388 wrote to memory of 4672	388	saves.exe	94
PID 4672 wrote to memory of 4976	4672	cmd.exe	96
PID 4672 wrote to memory of 4976	4672	cmd.exe	96
PID 4672 wrote to memory of 4976	4672	cmd.exe	96
PID 4672 wrote to memory of 1008	4672	cmd.exe	97
PID 4672 wrote to memory of 1008	4672	cmd.exe	97
PID 4672 wrote to memory of 1008	4672	cmd.exe	97
PID 4672 wrote to memory of 5016	4672	cmd.exe	98
PID 4672 wrote to memory of 5016	4672	cmd.exe	98
PID 4672 wrote to memory of 5016	4672	cmd.exe	98
PID 4672 wrote to memory of 4292	4672	cmd.exe	99
PID 4672 wrote to memory of 4292	4672	cmd.exe	99
PID 4672 wrote to memory of 4292	4672	cmd.exe	99
PID 4672 wrote to memory of 1296	4672	cmd.exe	100
PID 4672 wrote to memory of 1296	4672	cmd.exe	100
PID 4672 wrote to memory of 1296	4672	cmd.exe	100
PID 4672 wrote to memory of 4396	4672	cmd.exe	101
PID 4672 wrote to memory of 4396	4672	cmd.exe	101
PID 4672 wrote to memory of 4396	4672	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe
"C:\Users\Admin\AppData\Local\Temp\a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2449602.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2449602.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9512729.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9512729.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0518184.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0518184.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9618356.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9618356.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6017579.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6017579.exe
        5⤵
        Executes dropped EXE
        
        PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0205995.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0205995.exe
      4⤵
      Executes dropped EXE
      PID:4652

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:576

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2449602.exe

Filesize
600KB

MD5
b824cd2187bf08a072642d6ae625dbe0

SHA1
8938622c65ff9391f6896e45cc7058df6e9c592c

SHA256
5d206528f7bd94d0ba488d757b2d4552d4fa49963fa28a23ef337b2fc6715b9b

SHA512
a0ad13dd7e61a6847f694705228abc51f2f6fd7c5d8821b7c753a28a26247473943488c39f95e56a8af93b549a63437d7a4aa957ea7c34f2124e9b78be0b4e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9512729.exe

Filesize
476KB

MD5
83462e01c9768e5e155aadee1a68b9e6

SHA1
732785789aabc6328491ad50ca00409a52429d55

SHA256
1d0463f348f5bf8267fb314fc6463991d5b044608be09c2576c9b26b1c1b4939

SHA512
6c46c76a6da871f0538548ec21d692c04af4fcb9f58652d2d53acfc4437fd385caaf386b4722b4de01d9ac6b819477f2e116b9a3a8389f840160d0c3df8a994c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0205995.exe

Filesize
174KB

MD5
0c97f78762555a981d54d7352d32c551

SHA1
0b34f912a8a864f14ea1def622183c84150d520e

SHA256
212392ff2184f8d3599f5d2ff13a69c87e12509f77ebe8b04f1fb032a9756994

SHA512
fdf8d1d6d6ef9f5d894be12056a5e6c7d1ed09be91de863c31f18a028b65ac9ceae31f384d5859e4a263d5acd84e77a4d080fce51e09451a4e561c094c30cc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0518184.exe

Filesize
320KB

MD5
68f8e2fbf474f4838427446146dd8ade

SHA1
77b638f00459905f5180db8740af70837bcf1b0f

SHA256
db761e28eba09b3f00771ee2384acbe435ffa5a1e2a9c10d22ce082a6d189e09

SHA512
c6da1702d96a8f81175a1286bb27e57617f6cbe264d37f122eb9cae4ab2d65010b16a7896c6f29e8254c262e0b06ee29431bfb6151fc82370d85a698b76b7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9618356.exe

Filesize
337KB

MD5
205349674151c4627c1d77f90972ad39

SHA1
6d50fec73492623550dab7ad75c7637090c33bfe

SHA256
7c205e45cbe9dc76c5d6cb235c1d065898169c4d5e75a5f9a6b7e22b70a4e9a8

SHA512
137e2bac3d4d9054ea35ddcc389ebab10e9e14974135b24e7d49c7a015b0ac5e06c478a1d3c4b96ad5cfe04d7cd8b61625c6e4ef28e36cbef2f4220cbb053896

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6017579.exe

Filesize
142KB

MD5
eaafd7b5a4f81809dcd90961ff255e5d

SHA1
b75369d5150df03db334804f39c6eb9a483a259e

SHA256
41843af416513cbf9186cdcb1c007b9de75246c4bae0631ebcab64bec83be853

SHA512
10fe2105bc6d6cc22c1898fa00766aa14b9bf33f4a901f161e30dea1ac5bc1be296c052491d297697980a65e95dd633ff11fb622922377d83fd359dffee0b258

Download Submit
memory/4652-43-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/4652-44-0x0000000004EF0000-0x0000000004EF6000-memory.dmp

Filesize
24KB

Download
memory/4652-45-0x00000000055B0000-0x0000000005BC8000-memory.dmp

Filesize
6.1MB

Download
memory/4652-46-0x00000000050A0000-0x00000000051AA000-memory.dmp

Filesize
1.0MB

Download
memory/4652-47-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/4652-48-0x0000000004FD0000-0x000000000500C000-memory.dmp

Filesize
240KB

Download
memory/4652-49-0x0000000005010000-0x000000000505C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads