amadey | f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
Size

285KB
MD5

0ddbed09443dac4316238573b3ad82e8
SHA1

84e984a32e29cf88a9fbf55e7080bf7356c04b4b
SHA256

f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5
SHA512

f8738527b1f997597ef356ea5b95775a4a4e02b5c4d786a5365655fb918642b9984c562442e5ad532a945aa5c92e901c38333a17ff5b29cc51e54d289a8abcb2
SSDEEP

3072:PzZh4UWvnNLZla5ka5buhYta9bRlFu42FOTvMIvM/h3:sUWvnNLZla5OhIM9OwAc

Score

10^/10

amadey redline smokeloader google2 slovarik15btc backdoor collection infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

slovarik15btc

78.153.144.3:2510

Attributes

auth_value
bfedad55292538ad3edd07ac95ad8952

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000000721-257.dat	amadey_cred_module
behavioral1/files/0x0003000000000721-258.dat	amadey_cred_module

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/1612-133-0x0000000002E90000-0x0000000002E99000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/3684-140-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1380-148-0x0000000000BE0000-0x0000000000C99000-memory.dmp	family_redline
behavioral1/memory/1028-153-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/4988-161-0x0000000000DE0000-0x0000000000E98000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
48	3636	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
1380	664B.exe
4988	694A.exe
4400	6BEB.exe
2152	72E1.exe
4388	eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe
4492	rovwer.exe
4752	LYKAA.exe
1072	A184.exe
3380	rovwer.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	72E1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6BEB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	LYKAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 1 IoCs

pid	Process
3636	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 3684	1380	664B.exe	85
PID 4988 set thread context of 1028	4988	694A.exe	90
PID 4752 set thread context of 1820	4752	LYKAA.exe	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4540	4400	WerFault.exe	88

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1700	schtasks.exe
4016	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2480	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
1612	f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
1612	f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeDebugPrivilege	4388	eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeDebugPrivilege	1028	vbc.exe
Token: SeDebugPrivilege	3684	vbc.exe
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeDebugPrivilege	4752	LYKAA.exe
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1380	2440	Process not Found	84
PID 2440 wrote to memory of 1380	2440	Process not Found	84
PID 2440 wrote to memory of 1380	2440	Process not Found	84
PID 1380 wrote to memory of 3684	1380	664B.exe	85
PID 1380 wrote to memory of 3684	1380	664B.exe	85
PID 1380 wrote to memory of 3684	1380	664B.exe	85
PID 1380 wrote to memory of 3684	1380	664B.exe	85
PID 2440 wrote to memory of 4988	2440	Process not Found	86
PID 2440 wrote to memory of 4988	2440	Process not Found	86
PID 2440 wrote to memory of 4988	2440	Process not Found	86
PID 1380 wrote to memory of 3684	1380	664B.exe	85
PID 2440 wrote to memory of 4400	2440	Process not Found	88
PID 2440 wrote to memory of 4400	2440	Process not Found	88
PID 2440 wrote to memory of 4400	2440	Process not Found	88
PID 4988 wrote to memory of 1028	4988	694A.exe	90
PID 4988 wrote to memory of 1028	4988	694A.exe	90
PID 4988 wrote to memory of 1028	4988	694A.exe	90
PID 4988 wrote to memory of 1028	4988	694A.exe	90
PID 4988 wrote to memory of 1028	4988	694A.exe	90
PID 2440 wrote to memory of 2152	2440	Process not Found	91
PID 2440 wrote to memory of 2152	2440	Process not Found	91
PID 2152 wrote to memory of 4388	2152	72E1.exe	92
PID 2152 wrote to memory of 4388	2152	72E1.exe	92
PID 4388 wrote to memory of 4496	4388	eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe	93
PID 4388 wrote to memory of 4496	4388	eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe	93
PID 4496 wrote to memory of 2480	4496	cmd.exe	95
PID 4496 wrote to memory of 2480	4496	cmd.exe	95
PID 4400 wrote to memory of 4492	4400	6BEB.exe	98
PID 4400 wrote to memory of 4492	4400	6BEB.exe	98
PID 4400 wrote to memory of 4492	4400	6BEB.exe	98
PID 4496 wrote to memory of 4752	4496	cmd.exe	101
PID 4496 wrote to memory of 4752	4496	cmd.exe	101
PID 2440 wrote to memory of 1072	2440	Process not Found	102
PID 2440 wrote to memory of 1072	2440	Process not Found	102
PID 2440 wrote to memory of 1072	2440	Process not Found	102
PID 2440 wrote to memory of 4056	2440	Process not Found	103
PID 2440 wrote to memory of 4056	2440	Process not Found	103
PID 2440 wrote to memory of 4056	2440	Process not Found	103
PID 2440 wrote to memory of 4056	2440	Process not Found	103
PID 2440 wrote to memory of 4252	2440	Process not Found	104
PID 2440 wrote to memory of 4252	2440	Process not Found	104
PID 2440 wrote to memory of 4252	2440	Process not Found	104
PID 4752 wrote to memory of 4904	4752	LYKAA.exe	106
PID 4752 wrote to memory of 4904	4752	LYKAA.exe	106
PID 2440 wrote to memory of 480	2440	Process not Found	107
PID 2440 wrote to memory of 480	2440	Process not Found	107
PID 2440 wrote to memory of 480	2440	Process not Found	107
PID 2440 wrote to memory of 480	2440	Process not Found	107
PID 4904 wrote to memory of 1700	4904	cmd.exe	108
PID 4904 wrote to memory of 1700	4904	cmd.exe	108
PID 2440 wrote to memory of 1548	2440	Process not Found	109
PID 2440 wrote to memory of 1548	2440	Process not Found	109
PID 2440 wrote to memory of 1548	2440	Process not Found	109
PID 4492 wrote to memory of 4016	4492	rovwer.exe	111
PID 4492 wrote to memory of 4016	4492	rovwer.exe	111
PID 4492 wrote to memory of 4016	4492	rovwer.exe	111
PID 2440 wrote to memory of 4088	2440	Process not Found	112
PID 2440 wrote to memory of 4088	2440	Process not Found	112
PID 2440 wrote to memory of 4088	2440	Process not Found	112
PID 2440 wrote to memory of 4088	2440	Process not Found	112
PID 2440 wrote to memory of 3824	2440	Process not Found	114
PID 2440 wrote to memory of 3824	2440	Process not Found	114
PID 2440 wrote to memory of 3824	2440	Process not Found	114
PID 2440 wrote to memory of 3824	2440	Process not Found	114

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
"C:\Users\Admin\AppData\Local\Temp\f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1612

C:\Users\Admin\AppData\Local\Temp\664B.exe
C:\Users\Admin\AppData\Local\Temp\664B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3684

C:\Users\Admin\AppData\Local\Temp\694A.exe
C:\Users\Admin\AppData\Local\Temp\694A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1028

C:\Users\Admin\AppData\Local\Temp\6BEB.exe
C:\Users\Admin\AppData\Local\Temp\6BEB.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4016
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - outlook_win_path
    PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1268
  2⤵
  - Program crash
  PID:4540

C:\Users\Admin\AppData\Local\Temp\72E1.exe
C:\Users\Admin\AppData\Local\Temp\72E1.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe
  "C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DBB.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2480
  - - C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
      "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1700
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs002 -p hybrid -t 5
        5⤵
        
        PID:1820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4400 -ip 4400
1⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\A184.exe
C:\Users\Admin\AppData\Local\Temp\A184.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4056

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:480

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3984

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
1⤵
- Executes dropped EXE
PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
837KB

MD5
e620507c28834b337195ca9d35c4a79b

SHA1
5b80356e3066da91a8193493c9fbfc37e259c226

SHA256
703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b

SHA512
123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
837KB

MD5
e620507c28834b337195ca9d35c4a79b

SHA1
5b80356e3066da91a8193493c9fbfc37e259c226

SHA256
703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b

SHA512
123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
2KB

MD5
8730644b84be7e133ab21f97a43c0117

SHA1
ac45ce1b256bed8f94a55153c5acdf1c6438b72d

SHA256
9562509765e4b604537ad94da94dfb7a675bc481e39ac98df0e245fa50a87169

SHA512
d9f1a3479e4e362a7343213b2baaf4911b071effc066d3d8c07157116334f10f856823f937a1d768857af5186b826d4de2d7075a5e6a17fffaead7740348bf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\664B.exe

Filesize
725KB

MD5
760ed14ca60734a59448b15a8c614143

SHA1
f5e11928e3cee41f36bebae4da877bd310ef0c84

SHA256
2b65876470639ac849a2ab66e83bb7d3db79ed0638331fbad9cd63eef3d19207

SHA512
5b891917bda0d10fb7f73e61e6f2b410378c061f9900da9f4d4631028ed3619a2e5e8eba817d932b14272d32ecded1802b035c2356e6416e5ea39ae3da638212

Download Submit
C:\Users\Admin\AppData\Local\Temp\664B.exe

Filesize
725KB

MD5
760ed14ca60734a59448b15a8c614143

SHA1
f5e11928e3cee41f36bebae4da877bd310ef0c84

SHA256
2b65876470639ac849a2ab66e83bb7d3db79ed0638331fbad9cd63eef3d19207

SHA512
5b891917bda0d10fb7f73e61e6f2b410378c061f9900da9f4d4631028ed3619a2e5e8eba817d932b14272d32ecded1802b035c2356e6416e5ea39ae3da638212

Download Submit
C:\Users\Admin\AppData\Local\Temp\694A.exe

Filesize
725KB

MD5
ab6c7ec51ca619fadef5df5722bf6689

SHA1
460faa3061e5ceb05c4bb7dcb2f6dcc94ed44317

SHA256
710cac71b68916ded1228658608f54bd6cb07123b913defea5f45458c2337fbb

SHA512
f6aeebc27caa232876aa247c5dd08dad8e5d74cdadb98e0db2461c1beec200efc89c4e313852bb994c52fe91131f3898924e8fedc5f6a05f8bcc48f8f4c09128

Download Submit
C:\Users\Admin\AppData\Local\Temp\694A.exe

Filesize
725KB

MD5
ab6c7ec51ca619fadef5df5722bf6689

SHA1
460faa3061e5ceb05c4bb7dcb2f6dcc94ed44317

SHA256
710cac71b68916ded1228658608f54bd6cb07123b913defea5f45458c2337fbb

SHA512
f6aeebc27caa232876aa247c5dd08dad8e5d74cdadb98e0db2461c1beec200efc89c4e313852bb994c52fe91131f3898924e8fedc5f6a05f8bcc48f8f4c09128

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BEB.exe

Filesize
319KB

MD5
17071fbadf6c77eeb8b72916a9801858

SHA1
c60e2c97c477bd83e51224a05e542c29f85097d5

SHA256
37467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058

SHA512
461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BEB.exe

Filesize
319KB

MD5
17071fbadf6c77eeb8b72916a9801858

SHA1
c60e2c97c477bd83e51224a05e542c29f85097d5

SHA256
37467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058

SHA512
461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\72E1.exe

Filesize
1.1MB

MD5
fc94f1745be2386dfa3b366c85087517

SHA1
11a5b56dec0c9a123384a7a1c71b724e79371c6f

SHA256
62625350280734d5a4f3cc76ea43e398a880a61b9d5eaeafff36ef5a64146917

SHA512
323d3af27ed930957842fda8bfc42ab0d3efa220c8023ee6583c3c735a1cd8c52248ba387155c76ea295ba600288f776d5a046ce0b1170b206dc4e2d6c4c4514

Download Submit
C:\Users\Admin\AppData\Local\Temp\72E1.exe

Filesize
1.1MB

MD5
fc94f1745be2386dfa3b366c85087517

SHA1
11a5b56dec0c9a123384a7a1c71b724e79371c6f

SHA256
62625350280734d5a4f3cc76ea43e398a880a61b9d5eaeafff36ef5a64146917

SHA512
323d3af27ed930957842fda8bfc42ab0d3efa220c8023ee6583c3c735a1cd8c52248ba387155c76ea295ba600288f776d5a046ce0b1170b206dc4e2d6c4c4514

Download Submit
C:\Users\Admin\AppData\Local\Temp\A184.exe

Filesize
11.4MB

MD5
d5dfa0f5918b4c0e85d40ff7fd29245d

SHA1
3d695cf49eb94d2453cd4ec81292be074fc93a81

SHA256
f49bd7f46ccd889892abd707c1dd93a5df65c1e0407afd3ad294ea27b030cad6

SHA512
252877f0c50660e086b5711e206d948cd914391fe5cffe8cf5c555f551880ac03d8ed49cbd015378f5975a675953832620fee787fbb119c59d40ba637db94525

Download Submit
C:\Users\Admin\AppData\Local\Temp\A184.exe

Filesize
11.4MB

MD5
d5dfa0f5918b4c0e85d40ff7fd29245d

SHA1
3d695cf49eb94d2453cd4ec81292be074fc93a81

SHA256
f49bd7f46ccd889892abd707c1dd93a5df65c1e0407afd3ad294ea27b030cad6

SHA512
252877f0c50660e086b5711e206d948cd914391fe5cffe8cf5c555f551880ac03d8ed49cbd015378f5975a675953832620fee787fbb119c59d40ba637db94525

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
319KB

MD5
17071fbadf6c77eeb8b72916a9801858

SHA1
c60e2c97c477bd83e51224a05e542c29f85097d5

SHA256
37467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058

SHA512
461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
319KB

MD5
17071fbadf6c77eeb8b72916a9801858

SHA1
c60e2c97c477bd83e51224a05e542c29f85097d5

SHA256
37467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058

SHA512
461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
319KB

MD5
17071fbadf6c77eeb8b72916a9801858

SHA1
c60e2c97c477bd83e51224a05e542c29f85097d5

SHA256
37467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058

SHA512
461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DBB.tmp.bat

Filesize
153B

MD5
373df75aa457142d0157ed1b8eafc1ab

SHA1
e77e14028b0ea3d557716b45f40f1bce967294a5

SHA256
a15d0febe687ca9c7c5314828cc453b355ceb453d89b4e341f4173d6c8a09f29

SHA512
7240b96b41fdcfb146a0e4707333f9d66d768dc912582c78f2ea361cf82ee6cd371a6f1513816d4ed7268c72d848c668677e9c9a367ac7f57e8ba1cf59d65318

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
e92a6a3a013a87cf57f3753d77a1b9c9

SHA1
01366b392cb71fed71f5bc1cd09e0f8c76657519

SHA256
42a247529de63a9b43768ac145e38fe9da3adc8b2eed558e3ce11e5cd8bbc0e5

SHA512
c59bab1bef238927fe8102cca6080f7b62e945254668201d0eaa49a64c6969e1f8eef65b2fea56d341035f0995b5c24907487351e4cde2b6baa5d49f5a192b57

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
e92a6a3a013a87cf57f3753d77a1b9c9

SHA1
01366b392cb71fed71f5bc1cd09e0f8c76657519

SHA256
42a247529de63a9b43768ac145e38fe9da3adc8b2eed558e3ce11e5cd8bbc0e5

SHA512
c59bab1bef238927fe8102cca6080f7b62e945254668201d0eaa49a64c6969e1f8eef65b2fea56d341035f0995b5c24907487351e4cde2b6baa5d49f5a192b57

Download Submit
C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe

Filesize
837KB

MD5
e620507c28834b337195ca9d35c4a79b

SHA1
5b80356e3066da91a8193493c9fbfc37e259c226

SHA256
703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b

SHA512
123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5

Download Submit
C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe

Filesize
837KB

MD5
e620507c28834b337195ca9d35c4a79b

SHA1
5b80356e3066da91a8193493c9fbfc37e259c226

SHA256
703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b

SHA512
123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5

Download Submit
memory/480-239-0x0000000000F00000-0x0000000000F05000-memory.dmp

Filesize
20KB

Download
memory/480-210-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

Filesize
36KB

Download
memory/480-209-0x0000000000F00000-0x0000000000F05000-memory.dmp

Filesize
20KB

Download
memory/1028-153-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1028-180-0x00000000087F0000-0x0000000008856000-memory.dmp

Filesize
408KB

Download
memory/1028-186-0x0000000008900000-0x0000000008992000-memory.dmp

Filesize
584KB

Download
memory/1072-208-0x0000000002B30000-0x0000000002BAB000-memory.dmp

Filesize
492KB

Download
memory/1072-238-0x0000000002B30000-0x0000000002BAB000-memory.dmp

Filesize
492KB

Download
memory/1380-148-0x0000000000BE0000-0x0000000000C99000-memory.dmp

Filesize
740KB

Download
memory/1548-213-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/1548-214-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/1548-240-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/1612-134-0x0000000000400000-0x0000000002C35000-memory.dmp

Filesize
40.2MB

Download
memory/1612-132-0x0000000002F27000-0x0000000002F3C000-memory.dmp

Filesize
84KB

Download
memory/1612-135-0x0000000000400000-0x0000000002C35000-memory.dmp

Filesize
40.2MB

Download
memory/1612-133-0x0000000002E90000-0x0000000002E99000-memory.dmp

Filesize
36KB

Download
memory/1820-246-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1820-248-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1820-249-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1820-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2152-166-0x0000000000F40000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/2152-172-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2152-167-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/3684-188-0x00000000076B0000-0x0000000007BDC000-memory.dmp

Filesize
5.2MB

Download
memory/3684-160-0x0000000005710000-0x0000000005722000-memory.dmp

Filesize
72KB

Download
memory/3684-187-0x0000000006FB0000-0x0000000007172000-memory.dmp

Filesize
1.8MB

Download
memory/3684-184-0x0000000006830000-0x0000000006DD4000-memory.dmp

Filesize
5.6MB

Download
memory/3684-162-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download
memory/3684-140-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3684-199-0x0000000007630000-0x0000000007680000-memory.dmp

Filesize
320KB

Download
memory/3684-156-0x0000000005C60000-0x0000000006278000-memory.dmp

Filesize
6.1MB

Download
memory/3684-158-0x00000000057E0000-0x00000000058EA000-memory.dmp

Filesize
1.0MB

Download
memory/3684-197-0x0000000008400000-0x0000000008476000-memory.dmp

Filesize
472KB

Download
memory/3824-221-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/3824-242-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/3824-222-0x00000000001A0000-0x00000000001A9000-memory.dmp

Filesize
36KB

Download
memory/3984-227-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/3984-244-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/3984-228-0x0000000000750000-0x000000000075B000-memory.dmp

Filesize
44KB

Download
memory/4056-203-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/4056-202-0x0000000000D70000-0x0000000000D77000-memory.dmp

Filesize
28KB

Download
memory/4056-235-0x0000000000D70000-0x0000000000D77000-memory.dmp

Filesize
28KB

Download
memory/4088-243-0x0000000000780000-0x00000000007A2000-memory.dmp

Filesize
136KB

Download
memory/4088-220-0x0000000000750000-0x0000000000777000-memory.dmp

Filesize
156KB

Download
memory/4088-225-0x0000000000780000-0x00000000007A2000-memory.dmp

Filesize
136KB

Download
memory/4240-233-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/4240-251-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/4240-232-0x0000000000750000-0x000000000075B000-memory.dmp

Filesize
44KB

Download
memory/4252-236-0x0000000000FE0000-0x0000000000FE9000-memory.dmp

Filesize
36KB

Download
memory/4252-206-0x0000000000FD0000-0x0000000000FDF000-memory.dmp

Filesize
60KB

Download
memory/4252-205-0x0000000000FE0000-0x0000000000FE9000-memory.dmp

Filesize
36KB

Download
memory/4388-171-0x0000000000690000-0x0000000000766000-memory.dmp

Filesize
856KB

Download
memory/4388-173-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4388-175-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4400-185-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4400-179-0x0000000002D80000-0x0000000002DBA000-memory.dmp

Filesize
232KB

Download
memory/4400-200-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4400-178-0x0000000002FD6000-0x0000000002FF4000-memory.dmp

Filesize
120KB

Download
memory/4400-195-0x0000000002FD6000-0x0000000002FF4000-memory.dmp

Filesize
120KB

Download
memory/4472-231-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/4472-229-0x00000000005A0000-0x00000000005AD000-memory.dmp

Filesize
52KB

Download
memory/4472-245-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/4492-241-0x0000000002FA6000-0x0000000002FC4000-memory.dmp

Filesize
120KB

Download
memory/4492-219-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4492-215-0x0000000002FA6000-0x0000000002FC4000-memory.dmp

Filesize
120KB

Download
memory/4492-237-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/4752-234-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4752-198-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4988-161-0x0000000000DE0000-0x0000000000E98000-memory.dmp

Filesize
736KB

Download