amadey | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
Size

1.2MB
MD5

8c1c0914a0def51e04e998dd838101cd
SHA1

b87baade2891a73a85efed31f915502e52ac9c8a
SHA256

8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42
SHA512

2a5cbd449be690d512471ca0a3d1c3a8e1e6f88e31cb92cc01c007c418f90f4194f5b4d25c1d8781957be8a050617e21ca7eec9212bc5bac2db0c35db1160b55
SSDEEP

24576:nybWEzJzFzI7rAK+1QrZkCcedGcTkWKRLGFA34cMaxHzq96AuR6r6SR6T5Es:ybWEzNFzI/AK+1QaCcedGKkT3vxTqUyf

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral12/files/0x0007000000023417-39.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/files/0x0007000000023414-42.dat	family_redline
behavioral12/memory/4884-43-0x00000000003C0000-0x00000000003F0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	l6060572.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

pid	Process
1016	y5814265.exe
1648	y0727749.exe
1296	y4415555.exe
3060	l6060572.exe
4464	saves.exe
2184	m1961210.exe
4884	n3786566.exe
408	saves.exe
4508	saves.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5814265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0727749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y4415555.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1616	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 1016	4956	8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe	82
PID 4956 wrote to memory of 1016	4956	8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe	82
PID 4956 wrote to memory of 1016	4956	8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe	82
PID 1016 wrote to memory of 1648	1016	y5814265.exe	83
PID 1016 wrote to memory of 1648	1016	y5814265.exe	83
PID 1016 wrote to memory of 1648	1016	y5814265.exe	83
PID 1648 wrote to memory of 1296	1648	y0727749.exe	84
PID 1648 wrote to memory of 1296	1648	y0727749.exe	84
PID 1648 wrote to memory of 1296	1648	y0727749.exe	84
PID 1296 wrote to memory of 3060	1296	y4415555.exe	85
PID 1296 wrote to memory of 3060	1296	y4415555.exe	85
PID 1296 wrote to memory of 3060	1296	y4415555.exe	85
PID 3060 wrote to memory of 4464	3060	l6060572.exe	87
PID 3060 wrote to memory of 4464	3060	l6060572.exe	87
PID 3060 wrote to memory of 4464	3060	l6060572.exe	87
PID 1296 wrote to memory of 2184	1296	y4415555.exe	88
PID 1296 wrote to memory of 2184	1296	y4415555.exe	88
PID 1296 wrote to memory of 2184	1296	y4415555.exe	88
PID 1648 wrote to memory of 4884	1648	y0727749.exe	89
PID 1648 wrote to memory of 4884	1648	y0727749.exe	89
PID 1648 wrote to memory of 4884	1648	y0727749.exe	89
PID 4464 wrote to memory of 1616	4464	saves.exe	90
PID 4464 wrote to memory of 1616	4464	saves.exe	90
PID 4464 wrote to memory of 1616	4464	saves.exe	90
PID 4464 wrote to memory of 4552	4464	saves.exe	92
PID 4464 wrote to memory of 4552	4464	saves.exe	92
PID 4464 wrote to memory of 4552	4464	saves.exe	92
PID 4552 wrote to memory of 1692	4552	cmd.exe	94
PID 4552 wrote to memory of 1692	4552	cmd.exe	94
PID 4552 wrote to memory of 1692	4552	cmd.exe	94
PID 4552 wrote to memory of 2340	4552	cmd.exe	95
PID 4552 wrote to memory of 2340	4552	cmd.exe	95
PID 4552 wrote to memory of 2340	4552	cmd.exe	95
PID 4552 wrote to memory of 2080	4552	cmd.exe	96
PID 4552 wrote to memory of 2080	4552	cmd.exe	96
PID 4552 wrote to memory of 2080	4552	cmd.exe	96
PID 4552 wrote to memory of 60	4552	cmd.exe	97
PID 4552 wrote to memory of 60	4552	cmd.exe	97
PID 4552 wrote to memory of 60	4552	cmd.exe	97
PID 4552 wrote to memory of 1544	4552	cmd.exe	98
PID 4552 wrote to memory of 1544	4552	cmd.exe	98
PID 4552 wrote to memory of 1544	4552	cmd.exe	98
PID 4552 wrote to memory of 404	4552	cmd.exe	99
PID 4552 wrote to memory of 404	4552	cmd.exe	99
PID 4552 wrote to memory of 404	4552	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
"C:\Users\Admin\AppData\Local\Temp\8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814265.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814265.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0727749.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0727749.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4415555.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4415555.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l6060572.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l6060572.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:404
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1961210.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1961210.exe
        5⤵
        Executes dropped EXE
        
        PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3786566.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3786566.exe
      4⤵
      Executes dropped EXE
      PID:4884

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814265.exe

Filesize
1.1MB

MD5
aa4d4ad338e8e551114d9d85f2a031a4

SHA1
35f60dde4386e20b755ef41c437b2c1ce1716c1a

SHA256
4d1b51d579d3fe54ae45157358809f193325e900b72ed6ebb0f2110d4e03acf3

SHA512
ab40ad5ea4aef4be07d03240003baabddb37f4aa2104b92a239c5e65551cfa14d16b9a13e2172364bf13a7c659a6ad63f0df58fdae4385e8875d073f7f2f631e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0727749.exe

Filesize
475KB

MD5
8ac394bb457b45f64caa8510e90284e9

SHA1
25a8038634e2d9bbe11bf62fbdf301c1792c94be

SHA256
fc8d9d51877cae60f1229e0502e634edabb0c0047e5fa2123bdf3d806be86ff3

SHA512
c5be52edf7e76a2436bc531a50f4502adfce3677b44c6f0d82e32891e947528defe289510e288ed1ca96d146cf6d12e94dd801b6505ed6bd7d0de2f0473c95ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3786566.exe

Filesize
174KB

MD5
8d32340fdf8442a241158774abb34e19

SHA1
9ebef518b75d702fbaa1e7e9b3633d5cca25ec14

SHA256
26439ad1a73d2b60e18639cc5881edd14c95ccad667a48ddd2a62083cf80b4b4

SHA512
7ff44388e36b102056df4f218fc642e90f87290f69b4de0adb86214cdf0c0dca1cf9cc9eaefc287f603f12a89fc7cff7e474b11e1af7c8d62d1727e312bdbca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4415555.exe

Filesize
319KB

MD5
fcb1f8e59c9bfbd8327b0bd981d3a8a7

SHA1
29304a7017ba311eac729688ee076f165b9b34f4

SHA256
8d06fe3e0d8770dc1535fc0bb0c6b23bb07b06d713bc9d61e3aae530ec85c1a9

SHA512
f897a61270c73797b273936a9526782762d74669cb8de7c7dd59596b99e9c89a9a41e5c6774f3eaaf0e99c6c4e203910d89e7a5ba2e2f92077ccfc99ac801900

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l6060572.exe

Filesize
337KB

MD5
408d61c25ae8e8a4f0e393420d122653

SHA1
3f30e056d27cc60bac5897e0101ddf77eb6c3e75

SHA256
62d857831a501237da194659ff2526d90eec828ea04ba4cc6486422d52aae26d

SHA512
c8b1c1310e175cc382e58e41cae53cfeb72417e0a96addcb8c329e567a5bf25005aa6f953bef2a729f7586f4cb15ffb99a19512ce7e7828f225997caf160d72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1961210.exe

Filesize
142KB

MD5
324905fc85eb390c1ef3e707a7a589ba

SHA1
6bce9aac9311620dc2a096dcb608e53f9d0a3263

SHA256
9a111fa4a6fa5ccd2cb5cd55b0e8ee6423ea3bf62ee657527b0093d62b238a66

SHA512
3db649b624fc684a2bb8ee228d0ef2eac8bdf352b31b7c2bfe4030a5e2aa561549e7712e03ea32a5b6017d11d9b15cce0093060a27df937894fb2791485f9f2b

Download Submit
memory/4884-44-0x00000000026F0000-0x00000000026F6000-memory.dmp

Filesize
24KB

Download
memory/4884-43-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/4884-45-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/4884-47-0x0000000004E80000-0x0000000004E92000-memory.dmp

Filesize
72KB

Download
memory/4884-46-0x0000000004F90000-0x000000000509A000-memory.dmp

Filesize
1.0MB

Download
memory/4884-48-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

Filesize
240KB

Download
memory/4884-49-0x0000000004F30000-0x0000000004F7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads