amadey | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
134s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe
Size

1.1MB
MD5

491a1a616709c3545421cfe7e9a0a5fe
SHA1

6209307eb09238a51579b3edc7bfbde97c768f0d
SHA256

396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0
SHA512

87a8177818b18120384e0bc87a8c708064220015e222f15803065883749afce38e2a5c5e9af6ddcf5f3f15ff18818a10290f5cd42a19095dcf11af9d779c9491
SSDEEP

24576:sy0xoIFWVsveTG7W2KWEbrHG0+1TryyzBEPx7Ff5F4LTmmgcDAg+j:bPIFWVs2TGS2KWEbrm0QyIqPD4TQ

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4533809.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8784361.exe	family_redline
behavioral8/memory/1204-36-0x0000000000EC0000-0x0000000000EF0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l3899700.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	l3899700.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 8 IoCs

Processes:

y2074372.exey8785424.exel3899700.exesaves.exem4533809.exen8784361.exesaves.exesaves.exe

pid process

3348 y2074372.exe
4308 y8785424.exe
3968 l3899700.exe
3988 saves.exe
4384 m4533809.exe
1204 n8784361.exe
396 saves.exe
1948 saves.exe

pid	process
3348	y2074372.exe
4308	y8785424.exe
3968	l3899700.exe
3988	saves.exe
4384	m4533809.exe
1204	n8784361.exe
396	saves.exe
1948	saves.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exey2074372.exey8785424.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2074372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8785424.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3444 schtasks.exe

pid	process
3444	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exey2074372.exey8785424.exel3899700.exesaves.execmd.exe

description	pid	process	target process
PID 4712 wrote to memory of 3348	4712	396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe	y2074372.exe
PID 4712 wrote to memory of 3348	4712	396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe	y2074372.exe
PID 4712 wrote to memory of 3348	4712	396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe	y2074372.exe
PID 3348 wrote to memory of 4308	3348	y2074372.exe	y8785424.exe
PID 3348 wrote to memory of 4308	3348	y2074372.exe	y8785424.exe
PID 3348 wrote to memory of 4308	3348	y2074372.exe	y8785424.exe
PID 4308 wrote to memory of 3968	4308	y8785424.exe	l3899700.exe
PID 4308 wrote to memory of 3968	4308	y8785424.exe	l3899700.exe
PID 4308 wrote to memory of 3968	4308	y8785424.exe	l3899700.exe
PID 3968 wrote to memory of 3988	3968	l3899700.exe	saves.exe
PID 3968 wrote to memory of 3988	3968	l3899700.exe	saves.exe
PID 3968 wrote to memory of 3988	3968	l3899700.exe	saves.exe
PID 4308 wrote to memory of 4384	4308	y8785424.exe	m4533809.exe
PID 4308 wrote to memory of 4384	4308	y8785424.exe	m4533809.exe
PID 4308 wrote to memory of 4384	4308	y8785424.exe	m4533809.exe
PID 3348 wrote to memory of 1204	3348	y2074372.exe	n8784361.exe
PID 3348 wrote to memory of 1204	3348	y2074372.exe	n8784361.exe
PID 3348 wrote to memory of 1204	3348	y2074372.exe	n8784361.exe
PID 3988 wrote to memory of 3444	3988	saves.exe	schtasks.exe
PID 3988 wrote to memory of 3444	3988	saves.exe	schtasks.exe
PID 3988 wrote to memory of 3444	3988	saves.exe	schtasks.exe
PID 3988 wrote to memory of 2280	3988	saves.exe	cmd.exe
PID 3988 wrote to memory of 2280	3988	saves.exe	cmd.exe
PID 3988 wrote to memory of 2280	3988	saves.exe	cmd.exe
PID 2280 wrote to memory of 3088	2280	cmd.exe	cmd.exe
PID 2280 wrote to memory of 3088	2280	cmd.exe	cmd.exe
PID 2280 wrote to memory of 3088	2280	cmd.exe	cmd.exe
PID 2280 wrote to memory of 5060	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 5060	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 5060	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 1588	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 1588	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 1588	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 3940	2280	cmd.exe	cmd.exe
PID 2280 wrote to memory of 3940	2280	cmd.exe	cmd.exe
PID 2280 wrote to memory of 3940	2280	cmd.exe	cmd.exe
PID 2280 wrote to memory of 4228	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 4228	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 4228	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 556	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 556	2280	cmd.exe	cacls.exe
PID 2280 wrote to memory of 556	2280	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe
"C:\Users\Admin\AppData\Local\Temp\396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2074372.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2074372.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785424.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785424.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3899700.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3899700.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
6⤵
- Creates scheduled task(s)
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3088

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
7⤵
PID:5060

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
7⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3940

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
7⤵
PID:4228

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
7⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4533809.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4533809.exe
4⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8784361.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8784361.exe
3⤵
- Executes dropped EXE
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:396

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2074372.exe
Filesize
475KB

MD5
f86647f1907c42d569b9f0ffbed99161

SHA1
251b7c5a5272d6b78b10da2851b47cf174dfc3a6

SHA256
e1e7d7c1d59065d07e4fba642299af5fb55b58b3474006c6e7bc814e3fbec2d8

SHA512
82a0d5365387cbb87059d1295c9235414dbeb9b9442c242595b073a4fae753a4f1d56059801029f6878338b1ab400ca66310ff0f5d03bfe6ef5eafa1a4e96879

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8784361.exe
Filesize
173KB

MD5
071262ed56f897e2b659d87090755554

SHA1
e9b977339b8fcfb7163cd09dfe0ca3225d81fcd5

SHA256
9e1b48b291ec682abadcb2724de66c9ff9ba6275b33f1c390093145b76402a1b

SHA512
b14c2ff9cad5dee07e6f8662c45742a9708c19811e5fd437bb9189dc6e0b5ccb44594e8f1a03c47eebf81dc9bfa1f898816cf54774a45fc7fe76a6b44bbda9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785424.exe
Filesize
320KB

MD5
7586ac961fc6fe8ea3fb77df78713e2b

SHA1
caeb831cb4e16c719488a160ff25b0b7bce02489

SHA256
884358d16ddaa1a81d30ee28f422753fdd28aca70c7258bd10bcf8074a2eb113

SHA512
f1b1934493227b3d67daab4016f047712611483fa7016038ff362e3bb1ba05b7b76cf55d082384d90122740b70923a87fb06c98d42cad0914cc4cd27392787f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3899700.exe
Filesize
336KB

MD5
c303d5cd4b1189cd2b31500998b22eb4

SHA1
e1fa90ea9d75e87b2a828b50bb4e4d5cdfd6d8b7

SHA256
da9da65281f19ab42e591901d772f89f3e66046152684d2fb033967d0d6cfca3

SHA512
fb50f13bf81f843fe2c2941a3b4c80677d35ce117ce89a9cee490c538690394f9835e3c08ea45322b4ebf54f31cd4296a79fc12a6df89f4d15d5ec72c4019572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4533809.exe
Filesize
141KB

MD5
63491b31eedba73a8f01f2a5205cc933

SHA1
cbd8accb0bfe1fb9c68126f9e3de2613f89aa46b

SHA256
86b6efaa8af43464a82c8dbcd6e57f1028c69bb3e1a24f32320a18d6d3140f54

SHA512
855a44c735c32dc10db606e26d18dd2e4e2e2c42db63c1ef70a534abde85748b852accad7828ad12a8af8fc836f7d68492ecca7fb994160b3a804a6bab8841f3

Download Submit
memory/1204-36-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

Filesize
192KB

Download
memory/1204-37-0x00000000030C0000-0x00000000030C6000-memory.dmp

Filesize
24KB

Download
memory/1204-38-0x0000000005EE0000-0x00000000064F8000-memory.dmp

Filesize
6.1MB

Download
memory/1204-39-0x00000000059D0000-0x0000000005ADA000-memory.dmp

Filesize
1.0MB

Download
memory/1204-40-0x0000000005830000-0x0000000005842000-memory.dmp

Filesize
72KB

Download
memory/1204-41-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/1204-42-0x0000000005900000-0x000000000594C000-memory.dmp

Filesize
304KB

Download