Overview

overview

10

Static

static

3

0805913f50...13.exe

windows10-2004-x64

10

11eba51293...3a.exe

windows10-2004-x64

10

17a0568b20...3a.exe

windows10-2004-x64

10

346c46bc82...26.exe

windows10-2004-x64

10

4867af9d5d...1f.exe

windows10-2004-x64

10

5f2f269e1f...9a.exe

windows10-2004-x64

10

64e73ef21d...a1.exe

windows10-2004-x64

10

7c556f6f80...61.exe

windows10-2004-x64

10

8c970cc94c...d3.exe

windows10-2004-x64

10

9296923f57...24.exe

windows10-2004-x64

10

ae96a881fd...69.exe

windows10-2004-x64

10

b150b2b6ed...d5.exe

windows10-2004-x64

10

c1b0ce286b...51.exe

windows10-2004-x64

10

c1d1b117a2...35.exe

windows10-2004-x64

10

d876400b35...04.exe

windows10-2004-x64

10

eb3bd6af82...52.exe

windows10-2004-x64

10

eb7c2e9dc2...28.exe

windows10-2004-x64

10

ed2eb0d5dc...bf.exe

windows10-2004-x64

10

fc2a396813...13.exe

windows10-2004-x64

10

fd4ce916b7...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe

  • Size

    1.3MB

  • MD5

    5bbe0d4d9a0315328670257d051d24ec

  • SHA1

    703f9e52cfa0752b6fe32ce544542d41c26f3414

  • SHA256

    fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890

  • SHA512

    346a4a5629c810d01660ca7b5fe27ca96b89df01e8fe8966858538ed64e06b35fc3aa6d4f39b7f2edfcad380e33a0e634d48c7eba4da1e928f6d0fee0644c35c

  • SSDEEP

    24576:6ybUKxddkeq9KQxslEr58eZS7EWzWvm9bb+0je8be0QDeBc1:BbZniKQxslE98eZS7LT9b7bCeB

Score
10/10
amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe
    "C:\Users\Admin\AppData\Local\Temp\fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0492251.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0492251.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6886798.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6886798.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3108
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4786423.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4786423.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l2609937.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l2609937.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4416
            • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
              "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:2952
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3792
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:3760
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "saves.exe" /P "Admin:N"
                    8⤵
                      PID:5024
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "saves.exe" /P "Admin:R" /E
                      8⤵
                        PID:2500
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:776
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\b40d11255d" /P "Admin:N"
                          8⤵
                            PID:1648
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\b40d11255d" /P "Admin:R" /E
                            8⤵
                              PID:2644
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3894073.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3894073.exe
                        5⤵
                        • Executes dropped EXE
                        PID:3616
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5460327.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5460327.exe
                      4⤵
                      • Executes dropped EXE
                      PID:452
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4300
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:1796
                • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4576

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0492251.exe
                  Filesize

                  1.1MB

                  MD5

                  d8df62ba006d203fcdae94a5bb22ec5f

                  SHA1

                  ea41c348a03e065a0d1a9eed29a2c5243188e03c

                  SHA256

                  ed2df8cd1b4b2c6dbe0e1fb3db1b73d1a39f6f571faa5b52fcf5f02825372b1d

                  SHA512

                  cd409889eeee089a849de53a25e8de9a55458c075783a285a98b344a359cd67c13a21c1a2d0f878383ba39e45213ec7fc8c4261aa226e6ef2d9fe32c9b74bea6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6886798.exe
                  Filesize

                  476KB

                  MD5

                  c1c525f56170b66ce0b62e62deeaaf10

                  SHA1

                  a7993c38e8fb39ed28180484c6d50f0a27428364

                  SHA256

                  662ec7617cfc790b4eb1030be263c063494c500d699a9eace182a80efe854b60

                  SHA512

                  140b189b935bddae084a8751699e4e5b91153939c7f4b9f420f6221c08e490d331d1dcad8f7dd561ecba7eeae258f806b56e0b45c333c721c4bf834b09de19a7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5460327.exe
                  Filesize

                  174KB

                  MD5

                  7bf53d19d3bdb53fa71edc166020e189

                  SHA1

                  d72d448ec107b3d785039d8163d3236123a1ae7e

                  SHA256

                  558b08eb78f66183a4f6d17dfc194cd0e80d7c476c231618174386f069b7ff04

                  SHA512

                  79b0f5206b5811a1d0776457cd1e3f11aed90ca2df68454c1e85a6db92ba0e77e863a5b069f910b098118f31b3a0406962aecbf29a420d93ede0165a992bc405

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4786423.exe
                  Filesize

                  320KB

                  MD5

                  350b6d7235d51f9dcf65b6a23ea04fb2

                  SHA1

                  396a6443cbfd1bf487c7a89b47409dab9ec82a32

                  SHA256

                  bc991cb6f964c7631ec58666ac5ec1099ab051bdbbd40500445b3ae68db18f68

                  SHA512

                  88e82d95fc6946a862bdf13cc41746239277bb516bd31ac3c20dbdf67ce8b4383480b3750fed5f5b792729aacf50c81ad82ba9b33e3756bddb7f773c7356d9e7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l2609937.exe
                  Filesize

                  337KB

                  MD5

                  c5fc2e6a7975736ae74f24800f1605fd

                  SHA1

                  74396fade6cba489dec536512ef5ba8e42f1c5bc

                  SHA256

                  17d891b62d77dca7cd4e0bc3b238b2ae45c83e6efe958e685a2a7c7808091919

                  SHA512

                  bed008cce7239f279cba7818f985ebf036a43956f94b029c700cf0c70655da32f8bbf0be2cde604d4f6073f44d98a8f2ce8aa357413d792c92605186a1be3c41

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3894073.exe
                  Filesize

                  142KB

                  MD5

                  8487b191bffb0d48d273d6002572ce41

                  SHA1

                  d47fcaef926601703727285a1ee8e74c2c736493

                  SHA256

                  5de1317cac1d41a387b9f8014c5e5def4231ed2035c14387f685ebd8e62201df

                  SHA512

                  d51c8f558215a05e3cd0809a86207303e4164d03feb0f91fa93032a5c2fe9af0ee9e2ce480f2a17e7b154c76f703c2cf300dfd073febc02619071f9ce7a6bd41

                  Download Submit

                • memory/452-43-0x00000000006D0000-0x0000000000700000-memory.dmp

                  Filesize

                  192KB

                  Download

                • memory/452-44-0x0000000005130000-0x0000000005136000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/452-45-0x00000000057A0000-0x0000000005DB8000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/452-46-0x0000000005290000-0x000000000539A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/452-47-0x00000000051A0000-0x00000000051B2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/452-48-0x0000000005200000-0x000000000523C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/452-49-0x0000000005240000-0x000000000528C000-memory.dmp

                  Filesize

                  304KB

                  Download