amadey | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
133s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe
Size

1.1MB
MD5

0f5d5a729ff93532847ef909acb40245
SHA1

c1ee789c3def4120069e9475a8c01b93d5d20561
SHA256

84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5
SHA512

1cb7bf999338addbf3bd31e29c2a3811b3fa44d975ae0f526372f8341f602c9bf51802c2ef3c3e5502050bcdd7d4edf7e1bba03f70d7aa0be1f2ccc3b571c7d8
SSDEEP

24576:Wyzs6aHdcaYZclKIEyGx8QxOtgrqNw0pc/T75Or1usTxW:lzsdHEylKIEyC8QEtNw0pc/TRsT

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5583854.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9163541.exe	family_redline
behavioral10/memory/1948-36-0x0000000000650000-0x0000000000680000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l9094914.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	l9094914.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 8 IoCs

Processes:

y8935343.exey9819062.exel9094914.exesaves.exem5583854.exen9163541.exesaves.exesaves.exe

pid process

2272 y8935343.exe
2580 y9819062.exe
2684 l9094914.exe
400 saves.exe
1220 m5583854.exe
1948 n9163541.exe
2124 saves.exe
1976 saves.exe

pid	process
2272	y8935343.exe
2580	y9819062.exe
2684	l9094914.exe
400	saves.exe
1220	m5583854.exe
1948	n9163541.exe
2124	saves.exe
1976	saves.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exey8935343.exey9819062.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8935343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9819062.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4572 schtasks.exe

pid	process
4572	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exey8935343.exey9819062.exel9094914.exesaves.execmd.exe

description	pid	process	target process
PID 412 wrote to memory of 2272	412	84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe	y8935343.exe
PID 412 wrote to memory of 2272	412	84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe	y8935343.exe
PID 412 wrote to memory of 2272	412	84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe	y8935343.exe
PID 2272 wrote to memory of 2580	2272	y8935343.exe	y9819062.exe
PID 2272 wrote to memory of 2580	2272	y8935343.exe	y9819062.exe
PID 2272 wrote to memory of 2580	2272	y8935343.exe	y9819062.exe
PID 2580 wrote to memory of 2684	2580	y9819062.exe	l9094914.exe
PID 2580 wrote to memory of 2684	2580	y9819062.exe	l9094914.exe
PID 2580 wrote to memory of 2684	2580	y9819062.exe	l9094914.exe
PID 2684 wrote to memory of 400	2684	l9094914.exe	saves.exe
PID 2684 wrote to memory of 400	2684	l9094914.exe	saves.exe
PID 2684 wrote to memory of 400	2684	l9094914.exe	saves.exe
PID 2580 wrote to memory of 1220	2580	y9819062.exe	m5583854.exe
PID 2580 wrote to memory of 1220	2580	y9819062.exe	m5583854.exe
PID 2580 wrote to memory of 1220	2580	y9819062.exe	m5583854.exe
PID 2272 wrote to memory of 1948	2272	y8935343.exe	n9163541.exe
PID 2272 wrote to memory of 1948	2272	y8935343.exe	n9163541.exe
PID 2272 wrote to memory of 1948	2272	y8935343.exe	n9163541.exe
PID 400 wrote to memory of 4572	400	saves.exe	schtasks.exe
PID 400 wrote to memory of 4572	400	saves.exe	schtasks.exe
PID 400 wrote to memory of 4572	400	saves.exe	schtasks.exe
PID 400 wrote to memory of 8	400	saves.exe	cmd.exe
PID 400 wrote to memory of 8	400	saves.exe	cmd.exe
PID 400 wrote to memory of 8	400	saves.exe	cmd.exe
PID 8 wrote to memory of 3248	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 3248	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 3248	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 752	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 752	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 752	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 1164	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 1164	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 1164	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 4028	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 4028	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 4028	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 3696	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 3696	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 3696	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 4076	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 4076	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 4076	8	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe
"C:\Users\Admin\AppData\Local\Temp\84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8935343.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8935343.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9819062.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9819062.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9094914.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9094914.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
6⤵
- Creates scheduled task(s)
PID:4572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3248

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
7⤵
PID:752

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
7⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4028

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
7⤵
PID:3696

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
7⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5583854.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5583854.exe
4⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9163541.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9163541.exe
3⤵
- Executes dropped EXE
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3440,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
1⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8935343.exe
Filesize
476KB

MD5
12a0b486f4b3e9722af390cc7523d9e1

SHA1
668afd4541f6d29fb6081642288926dc5394918b

SHA256
8c9d3cbfbd2b8e0115a73928fbe96eed536c92987d66bfd2ca8349b13c02c71d

SHA512
1db934032e0a452b8f2a02285dd0ea1f6354a935632b8e896a41f7b6cc5c4e6593e0c40fdcb2bc6108c31043498297e25ac2498a17eb4c66539ebe8cd2bf333b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9163541.exe
Filesize
173KB

MD5
065eb06359becf94ec39e0d1282a84c9

SHA1
8f13decafa11448e8f3e79f91d061af9cb5aa343

SHA256
d93da82dda7b30deba3d5ee59dd1980867185c50a5cf05ebac8f91eb5ddb5f8e

SHA512
09e994c183e0948a539be68bd9839cad4aa29fe5f2bc3e78c8b9e1c03b96d29d37ba6a2b3e2ef407aec70f0ab17a8c69116b1f27e499e26e7226eb90d213015e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9819062.exe
Filesize
320KB

MD5
52eb13bba10cd65d21b2147580b579fe

SHA1
0313e0b73526fea8261f8c8555b84347b6bba269

SHA256
25765d8d13d1d85a61e85587e28c0a0942810cbcdeb4deee0b54802735ce87d8

SHA512
fc118dd894fa13a5c558da7cdd8979c44d6129d82dd9a17d02ecb49215b939b62aad176d89a643e1aca20a9ab371cae16b9e209f2ef504af9a58ea20baa61323

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9094914.exe
Filesize
336KB

MD5
ed8cb0d35d037ef365eab56815539e9a

SHA1
7aa0ebaa49561a9273a5b833396faad0691c3c8d

SHA256
c2580043a8d3c4afd707939d3918aa111a06ced8e36008efdf1a37943c9d982f

SHA512
4bc5d377d75f3cd8a27d29453961c3a28715e3150dea642440f2cb3e82aa2f3a06c2e3045691c342e3f048b7306a40c11314fe34c0c83a36a3c2ffcdcd95ce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5583854.exe
Filesize
141KB

MD5
84514a758085bb7db9b6285f20fa451c

SHA1
d68b2dbf326228d3a19418dd0795f124a9dd5cc6

SHA256
85ac639400326086a601d5b89648161f4ffcd997ba85893bb1af8f963fd5ce6a

SHA512
a3037cff590106c85784c9aeb2354fe9e2b6d2b1ef6dd6614134ac80bc08bfc306a3decaaf725cf74b75444c383e146e8431b67b8251030b65148e6ccd6d8404

Download Submit
memory/1948-36-0x0000000000650000-0x0000000000680000-memory.dmp

Filesize
192KB

Download
memory/1948-37-0x0000000001220000-0x0000000001226000-memory.dmp

Filesize
24KB

Download
memory/1948-38-0x0000000005690000-0x0000000005CA8000-memory.dmp

Filesize
6.1MB

Download
memory/1948-39-0x0000000005180000-0x000000000528A000-memory.dmp

Filesize
1.0MB

Download
memory/1948-40-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

Filesize
72KB

Download
memory/1948-41-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/1948-42-0x0000000005080000-0x00000000050CC000-memory.dmp

Filesize
304KB

Download