amadey | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe
Size

476KB
MD5

1f97ceddfda581c9ec60046f75303998
SHA1

46877392054ca0be8a14c4e1d9b3d29e07207dab
SHA256

4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687
SHA512

fa8de06624492e47336c1df59269b2ce95aa73016f75f50514bc8e7d72d5fd3d453cb9af4b4a7673b91f3582b5ac639f264f674de11beb0cec2535f66a9ae076
SSDEEP

6144:Kzy+bnr+up0yN90QE8nNKUZvdbWjVJGZ0KbFOfs/jfh3Q+KRFgEXtaBv7+hKBfsR:FMr+y90WnrFz75g+KRuEXYp7nBfBp45

Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4839651.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral6/memory/2984-29-0x0000000000D00000-0x0000000000D30000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2557588.exe	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r6888122.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	r6888122.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 7 IoCs

Processes:

z0625404.exer6888122.exesaves.exes4839651.exet2557588.exesaves.exesaves.exe

pid process

2948 z0625404.exe
4732 r6888122.exe
60 saves.exe
2212 s4839651.exe
2984 t2557588.exe
3896 saves.exe
1900 saves.exe

pid	process
2948	z0625404.exe
4732	r6888122.exe
60	saves.exe
2212	s4839651.exe
2984	t2557588.exe
3896	saves.exe
1900	saves.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exez0625404.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0625404.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1964 schtasks.exe

pid	process
1964	schtasks.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exez0625404.exer6888122.exesaves.execmd.exe

description	pid	process	target process
PID 4172 wrote to memory of 2948	4172	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	z0625404.exe
PID 4172 wrote to memory of 2948	4172	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	z0625404.exe
PID 4172 wrote to memory of 2948	4172	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	z0625404.exe
PID 2948 wrote to memory of 4732	2948	z0625404.exe	r6888122.exe
PID 2948 wrote to memory of 4732	2948	z0625404.exe	r6888122.exe
PID 2948 wrote to memory of 4732	2948	z0625404.exe	r6888122.exe
PID 4732 wrote to memory of 60	4732	r6888122.exe	saves.exe
PID 4732 wrote to memory of 60	4732	r6888122.exe	saves.exe
PID 4732 wrote to memory of 60	4732	r6888122.exe	saves.exe
PID 2948 wrote to memory of 2212	2948	z0625404.exe	s4839651.exe
PID 2948 wrote to memory of 2212	2948	z0625404.exe	s4839651.exe
PID 2948 wrote to memory of 2212	2948	z0625404.exe	s4839651.exe
PID 4172 wrote to memory of 2984	4172	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	t2557588.exe
PID 4172 wrote to memory of 2984	4172	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	t2557588.exe
PID 4172 wrote to memory of 2984	4172	4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe	t2557588.exe
PID 60 wrote to memory of 1964	60	saves.exe	schtasks.exe
PID 60 wrote to memory of 1964	60	saves.exe	schtasks.exe
PID 60 wrote to memory of 1964	60	saves.exe	schtasks.exe
PID 60 wrote to memory of 4796	60	saves.exe	cmd.exe
PID 60 wrote to memory of 4796	60	saves.exe	cmd.exe
PID 60 wrote to memory of 4796	60	saves.exe	cmd.exe
PID 4796 wrote to memory of 1716	4796	cmd.exe	cmd.exe
PID 4796 wrote to memory of 1716	4796	cmd.exe	cmd.exe
PID 4796 wrote to memory of 1716	4796	cmd.exe	cmd.exe
PID 4796 wrote to memory of 2008	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 2008	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 2008	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 3404	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 3404	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 3404	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 1508	4796	cmd.exe	cmd.exe
PID 4796 wrote to memory of 1508	4796	cmd.exe	cmd.exe
PID 4796 wrote to memory of 1508	4796	cmd.exe	cmd.exe
PID 4796 wrote to memory of 4848	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 4848	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 4848	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 3212	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 3212	4796	cmd.exe	cacls.exe
PID 4796 wrote to memory of 3212	4796	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe
"C:\Users\Admin\AppData\Local\Temp\4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0625404.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0625404.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6888122.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6888122.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
5⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1716

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
6⤵
PID:2008

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
6⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1508

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
6⤵
PID:4848

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
6⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4839651.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4839651.exe
3⤵
- Executes dropped EXE
PID:2212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2557588.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2557588.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2557588.exe
Filesize
174KB

MD5
01ee06badc69d433b00e86d9470d913b

SHA1
2db998f2f388f3e9c2a4526fd2a03110e254a0b3

SHA256
e31f4292ca9c86113f6c396cd537caab35451b0840a4d3a12ce40823f46fc31f

SHA512
57680a2ab80f8020053d58b64caed2263b321b69bd7700f7986ade20fd9451341f9e868e0a2d3749f8bfe98e07ff4f20c3e454f24a5d6bc6fa175444a6bf2dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0625404.exe
Filesize
320KB

MD5
f88f7827d88253cf38cdb887fbb5c255

SHA1
83e5c7652ec7699f9f18c28c3fc1e846234a46ef

SHA256
27a01654c39051987d670d7b762a6b543ff80af71d8c9b116c7f9794490355c0

SHA512
f277f7ede2e3658c165e4674d4de3d199ea108c7d88b53f9373ea7ac0543014b876ffe57c8d53e2a52b4b5ceed1e7f15890f85d5eea7ef4c5c37b5015e910416

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6888122.exe
Filesize
337KB

MD5
a42d6158cc5dbd66ba3e36efe268aa0b

SHA1
526e8f3db8b47b9bbd640e902b25671abfe24016

SHA256
3bd0dea6d199b48c8ea787136c7c973fa5ca50bdcc21391777a4cb5a486111bb

SHA512
63ddef981bcc88b68798698eadf28541183feab585ed3322509df1dab219c21f8f75f85cbd334abaed753c3b6d73fbaf54665f44b6f95106a54b8a6612225da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s4839651.exe
Filesize
142KB

MD5
96b43a16b427e278730ace6aa223376b

SHA1
2e135735479761b8223e6f206f1fb5cfb30ab93a

SHA256
dda098266842d041ce3f9ec2c70d8bb2999a1135fe574307dac628e7692e3210

SHA512
5648c52430fc119e03879779ccfa2632888db160eeb776322b0e927397b1c02b006886558f726e1be20cff7da430fb304ab6b61c04f12194d268c02df8797b36

Download Submit
memory/2984-29-0x0000000000D00000-0x0000000000D30000-memory.dmp

Filesize
192KB

Download
memory/2984-30-0x0000000003080000-0x0000000003086000-memory.dmp

Filesize
24KB

Download
memory/2984-31-0x0000000005DD0000-0x00000000063E8000-memory.dmp

Filesize
6.1MB

Download
memory/2984-33-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/2984-34-0x0000000005830000-0x000000000586C000-memory.dmp

Filesize
240KB

Download
memory/2984-35-0x0000000005870000-0x00000000058BC000-memory.dmp

Filesize
304KB

Download
memory/2984-32-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download