Overview

overview

10

Static

static

3

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    8e05c72da260ffa2255ca5b309377959

  • SHA1

    14031a40973ef9851a9e6dd2d1843b00247c32f0

  • SHA256

    229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2

  • SHA512

    7d892604849fc3813913789659d101ac7533dd78bd06a5bb5a6f9bc4bab04a6b5775c55dcd3c76226324351df8e540d512da6c267d2dcd00b440e330f85ab703

  • SSDEEP

    24576:dyHo8DR+yHRO8U4EkyicLd4nkszZZz169AHg4XHXQn9rpWwRGNRXhSYOID:4X4yxO8U4UicLC1ZZy4XgnlpxYN

Score
10/10
amadeymysticredlinesmokeloader04d170plostbackdoordiscoveryevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Mystic family
    mystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Smokeloader family
    smokeloader
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE3yv05.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE3yv05.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uk9Fo72.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uk9Fo72.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ul1hq84.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ul1hq84.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3696
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wB0gW16.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wB0gW16.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5060
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\xE6DY46.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\xE6DY46.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Am61ri0.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Am61ri0.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3788
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                  • Modifies Windows Defender Real-time Protection settings
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3252
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Tc4789.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Tc4789.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3612
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2720
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3JN35wF.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3JN35wF.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks SCSI registry key(s)
              PID:4904
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Ju320Lj.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Ju320Lj.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5104
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5AM4vu0.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5AM4vu0.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4752
          • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
            "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1752
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:368
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4336
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2708
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "explothe.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2328
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "explothe.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1952
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:464
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\fefffe8cea" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4968
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\fefffe8cea" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ub8sP8.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ub8sP8.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7oM6EI07.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7oM6EI07.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:372
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:992
  • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
    C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
    1⤵
    • Executes dropped EXE
    PID:4048
  • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
    C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
    1⤵
    • Executes dropped EXE
    PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7oM6EI07.exe
    Filesize

    72KB

    MD5

    55888074dae709dfee918f06d8f38b44

    SHA1

    9ed340c0aba6cf5ca22cb12e5742c2b74dd36e2f

    SHA256

    8fe4d34a6a245c5acd3d1741213c1dd195468089b1a3fe80adfa6d8d8c94f2d8

    SHA512

    c43ac4c08fc0d334efa0e822b13e10297641ede4ce98e2d92662b42df6fe86886335791047802dfd6e41a142fcbf890c0585906749bb8d8435c18cc2754422e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE3yv05.exe
    Filesize

    1.7MB

    MD5

    f68b37ca4ff530cd297416d1637c4cb3

    SHA1

    a5b643c40c28643e73aac6cc11ba62d10eac803e

    SHA256

    fd7a9b8e52e2fbcb090d5f5046a73d6e42b421abf063083210889f3fcb47dee0

    SHA512

    8b6e0cfd9631448e3f6501961cbcf86f2a466c7d70067d5ef922f0488d5a3c71e70f00582d53e2b1575b29fde6f21ae9ba2cee3c5d17bb6dea503a0985b7ed1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ub8sP8.exe
    Filesize

    181KB

    MD5

    3aaf8a04b1b15765fcc77cf715e293df

    SHA1

    e9ad4b557370fc95380781ed9964598460e812d6

    SHA256

    35c55b402e770e25adf57ffbd408a428af9ce21a735474b5d94ccdd4123e68f8

    SHA512

    fe47b483f637a42a1691a257a259fb8b00768bcdc8fcd4dc4ecef89f86c6a23033195b72b1f27b9d3a904b3de20e69df1ec684b05667a0e44b1845d035699134

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uk9Fo72.exe
    Filesize

    1.5MB

    MD5

    5e578724796bc98207af6545c4a59f41

    SHA1

    76ea9345056f188c04aa580680c70fbacaa89827

    SHA256

    5697652d0fd5b4a05ac00f6ec028fd3dc3e34ed7b112c4b8c6048eae72a8d326

    SHA512

    862a8686a52bbc946bb83fb58336308296093d47f45bf99c0345356ad71506d6e074963d05dc297ca0bf7281d90024004cc7179afdd98dc4c8827ddde49cab3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5AM4vu0.exe
    Filesize

    222KB

    MD5

    fdc7e7dbe56849b137c1a72335dd3fc5

    SHA1

    8782fbbd4ba7ce3f508c095c2291f739d18b752c

    SHA256

    edfb4374d5c586f0690c95ff8cacb36bda6fb4743f20dda5e6f17e7e241edd47

    SHA512

    967d64ddeee6f1aef8d2a04985ea4a6e9c7648072fc0c2accda6d3514eb2dd2d5281fa05e02153337e90b24410dcd2a7b43705235b43984bf60e49cabeeb754b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ul1hq84.exe
    Filesize

    1.3MB

    MD5

    637152846228a9def2594167e0ae0b73

    SHA1

    418952436399c150893cbbbae478c86d76efb927

    SHA256

    da4f614c983fa226d813de390937389ae4d1e043dd86524aa7a5246fd587826b

    SHA512

    68156b094301cb6f016b9cb2e525f761f6cc19b455361c6842ccf08ea091601f4e47b03a51d78de0ab363ff1e93eb41a104290d9bad33d01b1a1c2563dbe7168

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Ju320Lj.exe
    Filesize

    1.9MB

    MD5

    4032d3d8736e56282ef9b43ad3b38ac1

    SHA1

    d1e9d6adbf6689a48fff89d11d1abaf9a3f4f3cb

    SHA256

    7d18c67c13ec919f3950092319d11eda129c8498e171612e681eebf1c977493d

    SHA512

    94013fe30fdc714e38c7317c6cbaa965386a69759636746fa1aa37da05f6cdde7ba56c27633122ab4f6658aacab29f10c3cf03e790d677299a13018de7e9b8cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wB0gW16.exe
    Filesize

    784KB

    MD5

    5fab57c66c9eb178bfd7266df702d29d

    SHA1

    3c6c976ebb645334274ac4878870e9f47c1e8d3e

    SHA256

    0c48529d2979698341e89d6ea5f7e9211fa277e40d3f6a55a8996135944ebdad

    SHA512

    72cf402baedcb1a9807f9b9ada5487d104cd60d02a6f1768a804191ad32f4a95c08bcceca34e3dd55d1e2e660374a4bf8d18079c3fe04368de749232426ff6b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3JN35wF.exe
    Filesize

    31KB

    MD5

    92a12208e222594568bc70957c1b9261

    SHA1

    f38062b8ff4f5855e8e6f6dfea2366250cd4dec2

    SHA256

    80df101f1f93fa53b3dcbc315d3ec5d8c8330c08b5622ac3207f746d016b66dc

    SHA512

    7aa5b9eeebba5d9f0bcb66e41a32ad7ab1407b603cdb1db89517649056183c67afab313a0e96693aa02991633933c0c63ce3a6d34064c7fd12e667b71aaf22ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\xE6DY46.exe
    Filesize

    660KB

    MD5

    762ce72eed847280113ec690c9992970

    SHA1

    bfae6f5d06969d73de02b977bc233c98921eeeb1

    SHA256

    7f101603fbb2821504cf2c71fca0450689dfcd6d1f36e57e27f0392be0f2d1dd

    SHA512

    a00c47ff4dcdb0fcf0a1fe6fddd05ba13b6bbe44923018142e8c37fd90a9bdb756c9012b8610231512db6efd33583c4e42d295bc57f5d380a968c8acc514318c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Am61ri0.exe
    Filesize

    1.6MB

    MD5

    55e4afca8b6e5d1c28d5742cb1a924ab

    SHA1

    b0385b0c16ae475eb0b3b6d62fe4971f694f22b4

    SHA256

    301a1c9f4e82fc8f57577ea399a2591557ff57d337472c3f8482a89c5b4105d5

    SHA512

    0ba4f57f16d0e6cd7dc8170280efd2e801e1239a392c751cfe1d9bf3a9d96f2a19585132761aea429ee86e3b09907f7b49b064da613bb7dfe2e352fbc330806e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Tc4789.exe
    Filesize

    1.8MB

    MD5

    dbe718ef607358c36036fbcb8654616e

    SHA1

    6b2c3f93d5fb83bc3cc1c258fb3d27117c26e250

    SHA256

    1f224093b9557dd73caaf1c6a823028c286ddd3414bceb0860e0fe084fb8c2ab

    SHA512

    00d25fc409dfc18d5a936d7d201f12b96eebbaaacf4b6713c6d21c790a1910943f66332af9bcda0574a6406abae9b569d881257a3113b1dca689fcf80dddf90e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is64.bat
    Filesize

    181B

    MD5

    225edee1d46e0a80610db26b275d72fb

    SHA1

    ce206abf11aaf19278b72f5021cc64b1b427b7e8

    SHA256

    e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

    SHA512

    4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is64.txt
    Filesize

    3B

    MD5

    a5ea0ad9260b1550a14cc58d2c39b03d

    SHA1

    f0aedf295071ed34ab8c6a7692223d22b6a19841

    SHA256

    f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

    SHA512

    7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

    Download Submit

  • memory/2720-47-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2720-49-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2720-46-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3252-42-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4904-54-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4904-53-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/5104-64-0x00000000080B0000-0x0000000008654000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5104-67-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5104-80-0x0000000008C80000-0x0000000009298000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5104-81-0x0000000008660000-0x000000000876A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5104-84-0x0000000007C70000-0x0000000007C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5104-85-0x0000000007DE0000-0x0000000007E1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5104-87-0x0000000007E20000-0x0000000007E6C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5104-65-0x0000000007BA0000-0x0000000007C32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5104-58-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download