amadey | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe
Size

476KB
MD5

1f97ceddfda581c9ec60046f75303998
SHA1

46877392054ca0be8a14c4e1d9b3d29e07207dab
SHA256

4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687
SHA512

fa8de06624492e47336c1df59269b2ce95aa73016f75f50514bc8e7d72d5fd3d453cb9af4b4a7673b91f3582b5ac639f264f674de11beb0cec2535f66a9ae076
SSDEEP

6144:Kzy+bnr+up0yN90QE8nNKUZvdbWjVJGZ0KbFOfs/jfh3Q+KRFgEXtaBv7+hKBfsR:FMr+y90WnrFz75g+KRuEXYp7nBfBp45

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023425-24.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023422-27.dat	family_redline
behavioral6/memory/1728-29-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	r6888122.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 8 IoCs

pid	Process
2308	z0625404.exe
1412	r6888122.exe
1188	saves.exe
4940	s4839651.exe
1728	t2557588.exe
2448	saves.exe
764	saves.exe
5100	saves.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0625404.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
208	schtasks.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2308	2816	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	82
PID 2816 wrote to memory of 2308	2816	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	82
PID 2816 wrote to memory of 2308	2816	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	82
PID 2308 wrote to memory of 1412	2308	z0625404.exe	83
PID 2308 wrote to memory of 1412	2308	z0625404.exe	83
PID 2308 wrote to memory of 1412	2308	z0625404.exe	83
PID 1412 wrote to memory of 1188	1412	r6888122.exe	84
PID 1412 wrote to memory of 1188	1412	r6888122.exe	84
PID 1412 wrote to memory of 1188	1412	r6888122.exe	84
PID 2308 wrote to memory of 4940	2308	z0625404.exe	86
PID 2308 wrote to memory of 4940	2308	z0625404.exe	86
PID 2308 wrote to memory of 4940	2308	z0625404.exe	86
PID 2816 wrote to memory of 1728	2816	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	87
PID 2816 wrote to memory of 1728	2816	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	87
PID 2816 wrote to memory of 1728	2816	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	87
PID 1188 wrote to memory of 208	1188	saves.exe	88
PID 1188 wrote to memory of 208	1188	saves.exe	88
PID 1188 wrote to memory of 208	1188	saves.exe	88
PID 1188 wrote to memory of 544	1188	saves.exe	90
PID 1188 wrote to memory of 544	1188	saves.exe	90
PID 1188 wrote to memory of 544	1188	saves.exe	90
PID 544 wrote to memory of 2620	544	cmd.exe	92
PID 544 wrote to memory of 2620	544	cmd.exe	92
PID 544 wrote to memory of 2620	544	cmd.exe	92
PID 544 wrote to memory of 3368	544	cmd.exe	93
PID 544 wrote to memory of 3368	544	cmd.exe	93
PID 544 wrote to memory of 3368	544	cmd.exe	93
PID 544 wrote to memory of 4652	544	cmd.exe	94
PID 544 wrote to memory of 4652	544	cmd.exe	94
PID 544 wrote to memory of 4652	544	cmd.exe	94
PID 544 wrote to memory of 676	544	cmd.exe	95
PID 544 wrote to memory of 676	544	cmd.exe	95
PID 544 wrote to memory of 676	544	cmd.exe	95
PID 544 wrote to memory of 4376	544	cmd.exe	96
PID 544 wrote to memory of 4376	544	cmd.exe	96
PID 544 wrote to memory of 4376	544	cmd.exe	96
PID 544 wrote to memory of 4872	544	cmd.exe	97
PID 544 wrote to memory of 4872	544	cmd.exe	97
PID 544 wrote to memory of 4872	544	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe
"C:\Users\Admin\AppData\Local\Temp\4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0625404.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0625404.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6888122.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6888122.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
      "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2620
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        6⤵
        
        PID:3368
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        6⤵
        
        PID:4652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:676
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        6⤵
        
        PID:4376
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        6⤵
        
        PID:4872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4839651.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4839651.exe
    3⤵
    - Executes dropped EXE
    PID:4940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2557588.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2557588.exe
  2⤵
  - Executes dropped EXE
  PID:1728

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2557588.exe

Filesize
174KB

MD5
01ee06badc69d433b00e86d9470d913b

SHA1
2db998f2f388f3e9c2a4526fd2a03110e254a0b3

SHA256
e31f4292ca9c86113f6c396cd537caab35451b0840a4d3a12ce40823f46fc31f

SHA512
57680a2ab80f8020053d58b64caed2263b321b69bd7700f7986ade20fd9451341f9e868e0a2d3749f8bfe98e07ff4f20c3e454f24a5d6bc6fa175444a6bf2dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0625404.exe

Filesize
320KB

MD5
f88f7827d88253cf38cdb887fbb5c255

SHA1
83e5c7652ec7699f9f18c28c3fc1e846234a46ef

SHA256
27a01654c39051987d670d7b762a6b543ff80af71d8c9b116c7f9794490355c0

SHA512
f277f7ede2e3658c165e4674d4de3d199ea108c7d88b53f9373ea7ac0543014b876ffe57c8d53e2a52b4b5ceed1e7f15890f85d5eea7ef4c5c37b5015e910416

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6888122.exe

Filesize
337KB

MD5
a42d6158cc5dbd66ba3e36efe268aa0b

SHA1
526e8f3db8b47b9bbd640e902b25671abfe24016

SHA256
3bd0dea6d199b48c8ea787136c7c973fa5ca50bdcc21391777a4cb5a486111bb

SHA512
63ddef981bcc88b68798698eadf28541183feab585ed3322509df1dab219c21f8f75f85cbd334abaed753c3b6d73fbaf54665f44b6f95106a54b8a6612225da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4839651.exe

Filesize
142KB

MD5
96b43a16b427e278730ace6aa223376b

SHA1
2e135735479761b8223e6f206f1fb5cfb30ab93a

SHA256
dda098266842d041ce3f9ec2c70d8bb2999a1135fe574307dac628e7692e3210

SHA512
5648c52430fc119e03879779ccfa2632888db160eeb776322b0e927397b1c02b006886558f726e1be20cff7da430fb304ab6b61c04f12194d268c02df8797b36

Download Submit
memory/1728-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1728-30-0x00000000026F0000-0x00000000026F6000-memory.dmp

Filesize
24KB

Download
memory/1728-31-0x00000000053B0000-0x00000000059C8000-memory.dmp

Filesize
6.1MB

Download
memory/1728-32-0x0000000004EA0000-0x0000000004FAA000-memory.dmp

Filesize
1.0MB

Download
memory/1728-33-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1728-34-0x0000000004DB0000-0x0000000004DEC000-memory.dmp

Filesize
240KB

Download
memory/1728-35-0x0000000004E30000-0x0000000004E7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads