amadey | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
Size

1.2MB
MD5

8c1c0914a0def51e04e998dd838101cd
SHA1

b87baade2891a73a85efed31f915502e52ac9c8a
SHA256

8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42
SHA512

2a5cbd449be690d512471ca0a3d1c3a8e1e6f88e31cb92cc01c007c418f90f4194f5b4d25c1d8781957be8a050617e21ca7eec9212bc5bac2db0c35db1160b55
SSDEEP

24576:nybWEzJzFzI7rAK+1QrZkCcedGcTkWKRLGFA34cMaxHzq96AuR6r6SR6T5Es:ybWEzNFzI/AK+1QaCcedGKkT3vxTqUyf

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1961210.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3786566.exe	family_redline
behavioral12/memory/4732-43-0x0000000000C90000-0x0000000000CC0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l6060572.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	l6060572.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

Processes:

y5814265.exey0727749.exey4415555.exel6060572.exesaves.exem1961210.exen3786566.exesaves.exesaves.exe

pid process

5052 y5814265.exe
4632 y0727749.exe
3424 y4415555.exe
3404 l6060572.exe
1496 saves.exe
5068 m1961210.exe
4732 n3786566.exe
4392 saves.exe
4516 saves.exe

pid	process
5052	y5814265.exe
4632	y0727749.exe
3424	y4415555.exe
3404	l6060572.exe
1496	saves.exe
5068	m1961210.exe
4732	n3786566.exe
4392	saves.exe
4516	saves.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exey5814265.exey0727749.exey4415555.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5814265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0727749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y4415555.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4132 schtasks.exe

pid	process
4132	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exey5814265.exey0727749.exey4415555.exel6060572.exesaves.execmd.exe

description	pid	process	target process
PID 4436 wrote to memory of 5052	4436	8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe	y5814265.exe
PID 4436 wrote to memory of 5052	4436	8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe	y5814265.exe
PID 4436 wrote to memory of 5052	4436	8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe	y5814265.exe
PID 5052 wrote to memory of 4632	5052	y5814265.exe	y0727749.exe
PID 5052 wrote to memory of 4632	5052	y5814265.exe	y0727749.exe
PID 5052 wrote to memory of 4632	5052	y5814265.exe	y0727749.exe
PID 4632 wrote to memory of 3424	4632	y0727749.exe	y4415555.exe
PID 4632 wrote to memory of 3424	4632	y0727749.exe	y4415555.exe
PID 4632 wrote to memory of 3424	4632	y0727749.exe	y4415555.exe
PID 3424 wrote to memory of 3404	3424	y4415555.exe	l6060572.exe
PID 3424 wrote to memory of 3404	3424	y4415555.exe	l6060572.exe
PID 3424 wrote to memory of 3404	3424	y4415555.exe	l6060572.exe
PID 3404 wrote to memory of 1496	3404	l6060572.exe	saves.exe
PID 3404 wrote to memory of 1496	3404	l6060572.exe	saves.exe
PID 3404 wrote to memory of 1496	3404	l6060572.exe	saves.exe
PID 3424 wrote to memory of 5068	3424	y4415555.exe	m1961210.exe
PID 3424 wrote to memory of 5068	3424	y4415555.exe	m1961210.exe
PID 3424 wrote to memory of 5068	3424	y4415555.exe	m1961210.exe
PID 4632 wrote to memory of 4732	4632	y0727749.exe	n3786566.exe
PID 4632 wrote to memory of 4732	4632	y0727749.exe	n3786566.exe
PID 4632 wrote to memory of 4732	4632	y0727749.exe	n3786566.exe
PID 1496 wrote to memory of 4132	1496	saves.exe	schtasks.exe
PID 1496 wrote to memory of 4132	1496	saves.exe	schtasks.exe
PID 1496 wrote to memory of 4132	1496	saves.exe	schtasks.exe
PID 1496 wrote to memory of 2412	1496	saves.exe	cmd.exe
PID 1496 wrote to memory of 2412	1496	saves.exe	cmd.exe
PID 1496 wrote to memory of 2412	1496	saves.exe	cmd.exe
PID 2412 wrote to memory of 1768	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 1768	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 1768	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 3544	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 3544	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 3544	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 2796	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 2796	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 2796	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4508	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 4508	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 4508	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 4712	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4712	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4712	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4356	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4356	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4356	2412	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
"C:\Users\Admin\AppData\Local\Temp\8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814265.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814265.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0727749.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0727749.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4415555.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4415555.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l6060572.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l6060572.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
7⤵
- Creates scheduled task(s)
PID:4132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:1768

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
8⤵
PID:3544

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
8⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:4508

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
8⤵
PID:4712

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
8⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1961210.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1961210.exe
5⤵
- Executes dropped EXE
PID:5068

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3786566.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3786566.exe
4⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814265.exe
Filesize
1.1MB

MD5
aa4d4ad338e8e551114d9d85f2a031a4

SHA1
35f60dde4386e20b755ef41c437b2c1ce1716c1a

SHA256
4d1b51d579d3fe54ae45157358809f193325e900b72ed6ebb0f2110d4e03acf3

SHA512
ab40ad5ea4aef4be07d03240003baabddb37f4aa2104b92a239c5e65551cfa14d16b9a13e2172364bf13a7c659a6ad63f0df58fdae4385e8875d073f7f2f631e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0727749.exe
Filesize
475KB

MD5
8ac394bb457b45f64caa8510e90284e9

SHA1
25a8038634e2d9bbe11bf62fbdf301c1792c94be

SHA256
fc8d9d51877cae60f1229e0502e634edabb0c0047e5fa2123bdf3d806be86ff3

SHA512
c5be52edf7e76a2436bc531a50f4502adfce3677b44c6f0d82e32891e947528defe289510e288ed1ca96d146cf6d12e94dd801b6505ed6bd7d0de2f0473c95ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3786566.exe
Filesize
174KB

MD5
8d32340fdf8442a241158774abb34e19

SHA1
9ebef518b75d702fbaa1e7e9b3633d5cca25ec14

SHA256
26439ad1a73d2b60e18639cc5881edd14c95ccad667a48ddd2a62083cf80b4b4

SHA512
7ff44388e36b102056df4f218fc642e90f87290f69b4de0adb86214cdf0c0dca1cf9cc9eaefc287f603f12a89fc7cff7e474b11e1af7c8d62d1727e312bdbca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4415555.exe
Filesize
319KB

MD5
fcb1f8e59c9bfbd8327b0bd981d3a8a7

SHA1
29304a7017ba311eac729688ee076f165b9b34f4

SHA256
8d06fe3e0d8770dc1535fc0bb0c6b23bb07b06d713bc9d61e3aae530ec85c1a9

SHA512
f897a61270c73797b273936a9526782762d74669cb8de7c7dd59596b99e9c89a9a41e5c6774f3eaaf0e99c6c4e203910d89e7a5ba2e2f92077ccfc99ac801900

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l6060572.exe
Filesize
337KB

MD5
408d61c25ae8e8a4f0e393420d122653

SHA1
3f30e056d27cc60bac5897e0101ddf77eb6c3e75

SHA256
62d857831a501237da194659ff2526d90eec828ea04ba4cc6486422d52aae26d

SHA512
c8b1c1310e175cc382e58e41cae53cfeb72417e0a96addcb8c329e567a5bf25005aa6f953bef2a729f7586f4cb15ffb99a19512ce7e7828f225997caf160d72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1961210.exe
Filesize
142KB

MD5
324905fc85eb390c1ef3e707a7a589ba

SHA1
6bce9aac9311620dc2a096dcb608e53f9d0a3263

SHA256
9a111fa4a6fa5ccd2cb5cd55b0e8ee6423ea3bf62ee657527b0093d62b238a66

SHA512
3db649b624fc684a2bb8ee228d0ef2eac8bdf352b31b7c2bfe4030a5e2aa561549e7712e03ea32a5b6017d11d9b15cce0093060a27df937894fb2791485f9f2b

Download Submit
memory/4732-43-0x0000000000C90000-0x0000000000CC0000-memory.dmp

Filesize
192KB

Download
memory/4732-44-0x0000000001350000-0x0000000001356000-memory.dmp

Filesize
24KB

Download
memory/4732-45-0x0000000005BF0000-0x0000000006208000-memory.dmp

Filesize
6.1MB

Download
memory/4732-46-0x00000000056E0000-0x00000000057EA000-memory.dmp

Filesize
1.0MB

Download
memory/4732-47-0x0000000005610000-0x0000000005622000-memory.dmp

Filesize
72KB

Download
memory/4732-48-0x0000000005670000-0x00000000056AC000-memory.dmp

Filesize
240KB

Download
memory/4732-49-0x00000000057F0000-0x000000000583C000-memory.dmp

Filesize
304KB

Download