amadey | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe
Size

1.1MB
MD5

7f58d8caedf6979bee301182a64a19bd
SHA1

b772e45e5ca373a2ee2e081b8f8645b25699d610
SHA256

73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f
SHA512

fdcb426e044be7279c2958b89b6423b5e5d6cf9ab2cc58213ac885b5a8a7a8d2a30a63dbfa924c201068ad07612ab50244726e407be616896b3d2491a1a70455
SSDEEP

24576:CywoOMiEqHorKYErxslRGgHTqqEwg28UJZTiR:pw8iE4qKYErCgIgDUe

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral10/files/0x00070000000234b0-31.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x00070000000234ad-34.dat	family_redline
behavioral10/memory/1908-36-0x00000000005B0000-0x00000000005E0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	l9237878.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 8 IoCs

pid	Process
4064	y4858095.exe
3976	y1334112.exe
2484	l9237878.exe
1072	saves.exe
4812	m2615708.exe
1908	n5306328.exe
1168	saves.exe
1100	saves.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4858095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1334112.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4800	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 4064	3432	73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe	83
PID 3432 wrote to memory of 4064	3432	73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe	83
PID 3432 wrote to memory of 4064	3432	73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe	83
PID 4064 wrote to memory of 3976	4064	y4858095.exe	84
PID 4064 wrote to memory of 3976	4064	y4858095.exe	84
PID 4064 wrote to memory of 3976	4064	y4858095.exe	84
PID 3976 wrote to memory of 2484	3976	y1334112.exe	85
PID 3976 wrote to memory of 2484	3976	y1334112.exe	85
PID 3976 wrote to memory of 2484	3976	y1334112.exe	85
PID 2484 wrote to memory of 1072	2484	l9237878.exe	86
PID 2484 wrote to memory of 1072	2484	l9237878.exe	86
PID 2484 wrote to memory of 1072	2484	l9237878.exe	86
PID 3976 wrote to memory of 4812	3976	y1334112.exe	87
PID 3976 wrote to memory of 4812	3976	y1334112.exe	87
PID 3976 wrote to memory of 4812	3976	y1334112.exe	87
PID 4064 wrote to memory of 1908	4064	y4858095.exe	88
PID 4064 wrote to memory of 1908	4064	y4858095.exe	88
PID 4064 wrote to memory of 1908	4064	y4858095.exe	88
PID 1072 wrote to memory of 4800	1072	saves.exe	89
PID 1072 wrote to memory of 4800	1072	saves.exe	89
PID 1072 wrote to memory of 4800	1072	saves.exe	89
PID 1072 wrote to memory of 3484	1072	saves.exe	91
PID 1072 wrote to memory of 3484	1072	saves.exe	91
PID 1072 wrote to memory of 3484	1072	saves.exe	91
PID 3484 wrote to memory of 4552	3484	cmd.exe	93
PID 3484 wrote to memory of 4552	3484	cmd.exe	93
PID 3484 wrote to memory of 4552	3484	cmd.exe	93
PID 3484 wrote to memory of 5080	3484	cmd.exe	94
PID 3484 wrote to memory of 5080	3484	cmd.exe	94
PID 3484 wrote to memory of 5080	3484	cmd.exe	94
PID 3484 wrote to memory of 1424	3484	cmd.exe	95
PID 3484 wrote to memory of 1424	3484	cmd.exe	95
PID 3484 wrote to memory of 1424	3484	cmd.exe	95
PID 3484 wrote to memory of 392	3484	cmd.exe	96
PID 3484 wrote to memory of 392	3484	cmd.exe	96
PID 3484 wrote to memory of 392	3484	cmd.exe	96
PID 3484 wrote to memory of 4384	3484	cmd.exe	97
PID 3484 wrote to memory of 4384	3484	cmd.exe	97
PID 3484 wrote to memory of 4384	3484	cmd.exe	97
PID 3484 wrote to memory of 2300	3484	cmd.exe	98
PID 3484 wrote to memory of 2300	3484	cmd.exe	98
PID 3484 wrote to memory of 2300	3484	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe
"C:\Users\Admin\AppData\Local\Temp\73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4858095.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4858095.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1334112.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1334112.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9237878.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9237878.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4800
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        7⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        7⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        7⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        7⤵
        
        PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2615708.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2615708.exe
      4⤵
      Executes dropped EXE
      PID:4812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5306328.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5306328.exe
    3⤵
    - Executes dropped EXE
    PID:1908

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4858095.exe

Filesize
476KB

MD5
b87ab4cfa4fdbf9267211e471074f9e6

SHA1
01bd2fb3143e8dfa3850531e5cd8930c530b3d2a

SHA256
ca18391cdea182ffa743288bc81f848abcdacd873c86f53809e6282326062ffb

SHA512
f565b231be7041c59a0e9d9b96fa4586c82f8fbc9c737620f41dc640e8607dc79ea9e64c3d1b2bca157ab618d19ea6a77df954b87a95a77c896e45b403c40098

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5306328.exe

Filesize
174KB

MD5
47761eb8c7d81268545b33d771a5efd7

SHA1
bb62c66a75317ec35f170eef46bdcf8dbe09cd48

SHA256
9d591f5b57f1bc343f05989fc71299607e89bd14bfea487f88fb2a430cb6f130

SHA512
c52c71343585133d63d44d1c20fe3a3686e28598274e5469a7dcfb8adf0003978c956e79f46a412aed6979d9441f282e1263af6e0c0108eeb91f2bdc7950cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1334112.exe

Filesize
320KB

MD5
baf699bd2049c91003dadabb89af54fc

SHA1
4f9af4dcfdcf56c01bda78c1105a3afed7e1184e

SHA256
f56cfc67562783945f2812c02a081ac78df990e82b22adf253f84f3c0df83b21

SHA512
7d58968e9ebdcf3770b1ab7f1f0982a274556597da0c5042a93324571234cb5b9807dc47983ea6f9499f3dc7ec00df2fa7bf0b419c3baab8c718b3ee554c90c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9237878.exe

Filesize
337KB

MD5
31b5674b1b671aa536e80c28a5b53f83

SHA1
c921ad2337a85286df9b895052462a4da2cb0cc6

SHA256
8b162190fda6d9da271f1c5f08c2b82eebe52d57a1002f2d441f1e0db5acaaa7

SHA512
45b9463e451694cd423d61666aaa7e4f008e979a3d1659948739dda6ebfffb492c6bb6643641f2ffa672faac31fe52d3dceda7f1ac10309c678d7c4eb084c2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2615708.exe

Filesize
142KB

MD5
76380580a56e40321f92d79d5fa90d8a

SHA1
8fcd0e17a8ef5efc31a0170fa79e3056bf973a7f

SHA256
d39c16be8c623dafd4d379da806bd663347bc620156d8ec31c0a4d7d97cba788

SHA512
0477ca0a317eaaae42e463eb2cfdefcd895099c4fce68d3fce1cbb01bac3f7abf26354baa6f0949f54c21e489956c5d7db6f799cc6d0b4a1ed609fe9fbc3bbdf

Download Submit
memory/1908-36-0x00000000005B0000-0x00000000005E0000-memory.dmp

Filesize
192KB

Download
memory/1908-37-0x0000000000D60000-0x0000000000D66000-memory.dmp

Filesize
24KB

Download
memory/1908-38-0x0000000005610000-0x0000000005C28000-memory.dmp

Filesize
6.1MB

Download
memory/1908-39-0x0000000005100000-0x000000000520A000-memory.dmp

Filesize
1.0MB

Download
memory/1908-40-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1908-41-0x0000000004E90000-0x0000000004ECC000-memory.dmp

Filesize
240KB

Download
memory/1908-42-0x0000000004FF0000-0x000000000503C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads