amadey | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exe
Size

1.3MB
MD5

546b638f06657955666299dcead4ea56
SHA1

6714be04f61627cde0ce56ea6da5dac844faa55a
SHA256

4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5
SHA512

4a1896a72963c9931520ca4365f8d5e31bd9644562218ea6d5866ca6fb8f8923e4291752c35c255879212aa33a4dd64caa274e019dbe6144bd9f2e911c0096d5
SSDEEP

24576:5yJYHB+O7bfYoN2SO7/OKvsCQnP93Q7tlI2zhFaa5YjBDcP9p3BsdP3l56/9:sJa7bMSObOKvsCQ1AZljtFaZDc3eP15C

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m2129241.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3270982.exe	family_redline
behavioral4/memory/4464-43-0x0000000000DA0000-0x0000000000DD0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

l7189913.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	l7189913.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 9 IoCs

Processes:

y4232902.exey7048778.exey9712527.exel7189913.exesaves.exem2129241.exen3270982.exesaves.exesaves.exe

pid process

1812 y4232902.exe
5084 y7048778.exe
4348 y9712527.exe
3248 l7189913.exe
2524 saves.exe
4256 m2129241.exe
4464 n3270982.exe
3564 saves.exe
3120 saves.exe

pid	process
1812	y4232902.exe
5084	y7048778.exe
4348	y9712527.exe
3248	l7189913.exe
2524	saves.exe
4256	m2129241.exe
4464	n3270982.exe
3564	saves.exe
3120	saves.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y7048778.exey9712527.exe4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exey4232902.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7048778.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y9712527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4232902.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4760 schtasks.exe

pid	process
4760	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exey4232902.exey7048778.exey9712527.exel7189913.exesaves.execmd.exe

description	pid	process	target process
PID 2568 wrote to memory of 1812	2568	4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exe	y4232902.exe
PID 2568 wrote to memory of 1812	2568	4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exe	y4232902.exe
PID 2568 wrote to memory of 1812	2568	4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exe	y4232902.exe
PID 1812 wrote to memory of 5084	1812	y4232902.exe	y7048778.exe
PID 1812 wrote to memory of 5084	1812	y4232902.exe	y7048778.exe
PID 1812 wrote to memory of 5084	1812	y4232902.exe	y7048778.exe
PID 5084 wrote to memory of 4348	5084	y7048778.exe	y9712527.exe
PID 5084 wrote to memory of 4348	5084	y7048778.exe	y9712527.exe
PID 5084 wrote to memory of 4348	5084	y7048778.exe	y9712527.exe
PID 4348 wrote to memory of 3248	4348	y9712527.exe	l7189913.exe
PID 4348 wrote to memory of 3248	4348	y9712527.exe	l7189913.exe
PID 4348 wrote to memory of 3248	4348	y9712527.exe	l7189913.exe
PID 3248 wrote to memory of 2524	3248	l7189913.exe	saves.exe
PID 3248 wrote to memory of 2524	3248	l7189913.exe	saves.exe
PID 3248 wrote to memory of 2524	3248	l7189913.exe	saves.exe
PID 4348 wrote to memory of 4256	4348	y9712527.exe	m2129241.exe
PID 4348 wrote to memory of 4256	4348	y9712527.exe	m2129241.exe
PID 4348 wrote to memory of 4256	4348	y9712527.exe	m2129241.exe
PID 2524 wrote to memory of 4760	2524	saves.exe	schtasks.exe
PID 2524 wrote to memory of 4760	2524	saves.exe	schtasks.exe
PID 2524 wrote to memory of 4760	2524	saves.exe	schtasks.exe
PID 2524 wrote to memory of 4948	2524	saves.exe	cmd.exe
PID 2524 wrote to memory of 4948	2524	saves.exe	cmd.exe
PID 2524 wrote to memory of 4948	2524	saves.exe	cmd.exe
PID 5084 wrote to memory of 4464	5084	y7048778.exe	n3270982.exe
PID 5084 wrote to memory of 4464	5084	y7048778.exe	n3270982.exe
PID 5084 wrote to memory of 4464	5084	y7048778.exe	n3270982.exe
PID 4948 wrote to memory of 4536	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 4536	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 4536	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 4432	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 4432	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 4432	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 2880	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 2880	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 2880	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 1860	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 1860	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 1860	4948	cmd.exe	cmd.exe
PID 4948 wrote to memory of 780	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 780	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 780	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 4372	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 4372	4948	cmd.exe	cacls.exe
PID 4948 wrote to memory of 4372	4948	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exe
"C:\Users\Admin\AppData\Local\Temp\4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4232902.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4232902.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7048778.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7048778.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9712527.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9712527.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7189913.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7189913.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3248
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:4372
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m2129241.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m2129241.exe
        5⤵
        Executes dropped EXE
        
        PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3270982.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3270982.exe
      4⤵
      Executes dropped EXE
      PID:4464

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4232902.exe

Filesize
1.2MB

MD5
5a7d39661d7e93a563fe701fa7531c0a

SHA1
3f2359133aee032edddbfeba67a66e3715337ab8

SHA256
e15144e3301b62546f5b8bbbfc7d6a4f6d6c08de14807ad80c52de1982c21c83

SHA512
1c50bc81fdb7e2df3c81c98823a124e384fcb1eb839d384e1d66c6dfd712406a8cc6d39b66a3aec3c768e00d42e6d2d9978063ea3ff425771c3ac25b98ac9cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7048778.exe

Filesize
475KB

MD5
e970eaafaa006a1793f5b6ecb892ac03

SHA1
4d96fdd9d76ad669f1f428d80e7eea485fc5b7d0

SHA256
f7a55d0436f7213857036c90ad7962b2c821a58b9ce8b96e085ef7bd6622c862

SHA512
435c92131b53786f66a74d93dac9b19ec709b79620e3938934c434eeac854e5bb93f2fb75a836c1d911ee0149c2243b8aeee698006478fa49cc4a7253222e71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3270982.exe

Filesize
174KB

MD5
adf1a8ac8185c208328359fa0ce6a8e5

SHA1
04df326092c8df5eb9bd32d4d40517bbdf1a7925

SHA256
64b3ee27dd0dd75d582d53366d35a72ac2485edf4ca5082e785db900fb7f25b3

SHA512
21823d9bcd79e9431ed6165ac9ff13be4b8cf1cc3836bc9ee81c2e5508e8fb67e5cf766b7cfcfa540efd5a4f1b54360d5d0c756f7acab9f3993f9ac8368ac9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9712527.exe

Filesize
319KB

MD5
496154ec53fa9802c9aaa27746503b35

SHA1
5341c6e470299ee6c29d85cb8aad1355877a1f13

SHA256
fab9b8dc264f463a76eb3c4a68ca6d77a509f0238eaa12cd2c3ddc39d07abcc9

SHA512
9ee8eea60fe5b86332e5c947fcf61d50941f1d1498d7c18fd809e8d613d60c7611c0442351fc283c83c71b955df9d3300e0c95ad979166cdd6fa17413fe333a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7189913.exe

Filesize
337KB

MD5
d4d219b7c7f56576147c7087565b79fd

SHA1
2238717d9b4803bd20531a8f011c595ae29a31b1

SHA256
a24cef5ce747aa608a957e3b22986f1595ceeb0e2da8fbd684b9309899a5bf1c

SHA512
79afe034753a4884806fd98f256202e21f4ab0aa3a0a8fcf1c192a404ce9b4df0bbc8010372009653380212b20c7471e89d5cae3e260ea59def7d7af598a1e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m2129241.exe

Filesize
142KB

MD5
71807d63eeafe73fb2ccf2a441e698da

SHA1
00b7c486af727713dd4547efeeb6582a9cdcebcb

SHA256
90b83752111f3504a0eec0eb9db7697fd79eb32933a83c96d131a180bb890c4e

SHA512
0201bb1a0d8d8077e857a29953a1cf2ed5c6b535deb59e171fb685eb63a7af570b2643144ac65fb498c003c79ac2ecce1bb2ea878cf947039897b3aaed073850

Download Submit
memory/4464-43-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

Filesize
192KB

Download
memory/4464-44-0x00000000032B0000-0x00000000032B6000-memory.dmp

Filesize
24KB

Download
memory/4464-45-0x0000000005E40000-0x0000000006458000-memory.dmp

Filesize
6.1MB

Download
memory/4464-46-0x0000000005930000-0x0000000005A3A000-memory.dmp

Filesize
1.0MB

Download
memory/4464-47-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/4464-48-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/4464-49-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download