Overview

overview

10

Static

static

3

babf775aef...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    babf775aef8a72d2c0d67e5672d9aad0N.exe

  • Size

    1.2MB

  • MD5

    babf775aef8a72d2c0d67e5672d9aad0

  • SHA1

    94fbb1f158ef29f04a379dd7b89d49b0adb83ad4

  • SHA256

    6455e79e2a8a5516051b19fd975bf617e87992a5de5913e8bbdd31058de30f5a

  • SHA512

    514ef627e620d56d6498638e3baa00ff328186f29505cbd19ae04f6e516a0a790a053a9cd256531f5bb5684c0b3f753f422449e704e831f3ab3e869ad378ae8a

  • SSDEEP

    24576:uyTF2wuHoovnVGwIDaOj45KWcr1AEQ4FXHAc6wVam6p61YEDM10l:9THol6aM40Wcr1Rxwp6CL

Score
10/10
amadeymysticredlinesmokeloader04d170gromebackdoordiscoveryevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\babf775aef8a72d2c0d67e5672d9aad0N.exe
    "C:\Users\Admin\AppData\Local\Temp\babf775aef8a72d2c0d67e5672d9aad0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cd2be93.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cd2be93.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dI0hQ22.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dI0hQ22.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VJ7DA33.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VJ7DA33.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3140
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KD93je7.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KD93je7.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2100
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:3052
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                • Modifies Windows Defender Real-time Protection settings
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3860
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mR9979.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mR9979.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4540
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:540
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3CW82cz.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3CW82cz.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks SCSI registry key(s)
            PID:2240
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4QI787XZ.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4QI787XZ.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3536
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5By7kv3.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5By7kv3.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
          "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4812
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4912
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4312
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "explothe.exe" /P "Admin:N"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3204
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "explothe.exe" /P "Admin:R" /E
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2716
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3600
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "..\fefffe8cea" /P "Admin:N"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3896
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "..\fefffe8cea" /P "Admin:R" /E
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3008
    • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      1⤵
      • Executes dropped EXE
      PID:5096
    • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      1⤵
      • Executes dropped EXE
      PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5By7kv3.exe
      Filesize

      220KB

      MD5

      4628d0d64390e129292cbd6819c513b4

      SHA1

      1910ec615f69bdeb3377dbbd51b9ad9d15b68b3c

      SHA256

      e098cec8c4783293b3705365c3246658b344b1327ace6a0729e6fe29ded5ec5e

      SHA512

      63b65b9f084a74ccaaf9dfed5b1fc5ba1809f0b7b5760bf75ed00b125801871a9429c40c5d3a847bf3740af154f541af985ba831b2469e28f42efe8cf290ce11

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cd2be93.exe
      Filesize

      1.0MB

      MD5

      4721d70fd5e10a14bfc13f371a93309c

      SHA1

      433cb0fc6b9181f78c4655d00cb9223077b75091

      SHA256

      656c072d808c834ff4f585d8e2c598ef20da4aac5398ee66aff8328e7092eb0e

      SHA512

      1fb7e2ffb8fcdeb829279b4ef14d66a7ca9d5d0a139cd8bddb05d28aa19eb202aef33a87201d2d72397e26314c71b89ecd10f6126161e250f1af20a76a39e9bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4QI787XZ.exe
      Filesize

      1.1MB

      MD5

      f79fd237f3690c7caa61d594febd5997

      SHA1

      8123cebd80b0a9a991a35946e36f5fd3c93a69c2

      SHA256

      e7cee6fe219d762add82c4808e0fdd0b832ead7d1568e38ebcb3e84c13604107

      SHA512

      29a838807fd0e56564dfa063576a9d35eb363388134214879036d8f25933eaa8c069e168dba6a285a0749215543bcb2023aa2bce8a1426c2810c94aded5c7baa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dI0hQ22.exe
      Filesize

      643KB

      MD5

      8dce2a4a7b7af5e7dd42e60bb0b5798d

      SHA1

      0a03f4256352e2f7091605f8795e447a0fced0a2

      SHA256

      07fb172e41799aada8419f9043715e32fe1fb6f1637c5c15f044f25857d8e967

      SHA512

      1025e281acb2175503ee2041d85e59abeaff0cbef65163e8025c24f0ad02da9c883bde8d8888bb8852ed0e137822393488565a7194da2c5a14c83fe55ad80084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3CW82cz.exe
      Filesize

      30KB

      MD5

      730e207160cec8fade60369035742b9a

      SHA1

      86279281f9a886feada96e8bed58805b08d64d74

      SHA256

      f6dac378ba060d7589f69509b474058c7602ce101aeaacd8aee03547d0805649

      SHA512

      aa5f3f32e186cd13091e13ed2992b8079ba142be037b7ac87d78883d52012ff7885d66f1fb9eca2c9e24248df64ef412a15c9695038455b391ee27ceea422a1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VJ7DA33.exe
      Filesize

      519KB

      MD5

      18dd133709ea915ec7c7314d89287933

      SHA1

      27cf7dae0d4c27da201ab9efff22e8b909225d5a

      SHA256

      419e85e33a1e7631841dbce40e35abc2070dfe00299071bb521973774ca81801

      SHA512

      4cb4a9490bcc994e5f004e96784ce5fb274e53ff48cd082dd7ef42bbd2d3c06057845bd8fd737c05c36baca87ad7a80deb9cd853290e5336492b1d4c67e5789b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KD93je7.exe
      Filesize

      878KB

      MD5

      f170a260d8e6b389a0f6a0722781ac13

      SHA1

      65e3ce8a2a34fc7af0f6458aea5a21e912633112

      SHA256

      6fc44664adcf883e2388fee22d0f79d74984e3a79e85522f38360085cba056d8

      SHA512

      5df9e108e8a5e750c984d616ef69852f7919eddbd4865bfc72f8bc15783c3b14ec05d18b049c2300368e952dc51c3785702f796ad8905e4b143cc77f899c4648

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mR9979.exe
      Filesize

      1.1MB

      MD5

      c5322cbb00d7061fd65f6c76b653c484

      SHA1

      e310ed1cfc177926ae59ee35ab05b25987491b52

      SHA256

      5451665046a5201cafdf4c817696c341cd893cae6669e6ab7ca14e6ed0632d95

      SHA512

      ee26001d81261a906e863e14aae4eb266896813e41542dad2569b8ff99420d66adc2567b687e01162e51ede38ad38e37792a394c1a9072ce35a3db041a2eb14d

      Download Submit

    • memory/540-32-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/540-35-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/540-33-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2240-39-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2240-40-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3536-44-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3536-50-0x0000000008050000-0x00000000085F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3536-51-0x0000000005650000-0x00000000056E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3536-56-0x0000000002EE0000-0x0000000002EEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3536-60-0x0000000008C20000-0x0000000009238000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3536-61-0x0000000007D80000-0x0000000007E8A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3536-62-0x0000000007BB0000-0x0000000007BC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3536-63-0x0000000007C10000-0x0000000007C4C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3536-64-0x0000000007C70000-0x0000000007CBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3860-28-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download