Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    226KB

  • MD5

    dedd5c0ac85096e282d51b4784ca2aa4

  • SHA1

    18caac5cb1d4d084fa2654477af97c58e95c1281

  • SHA256

    6fd43674da08e9cb4e4a6945c2ac41ae6ec1042cc177343797937465da74e263

  • SHA512

    554c046c124cb6a1b1538ee1037d36ef5617753743f6199d8192563dc38de777e92775198ba3bce1b49ebcd24092c40b767ca9e16e6c96889fddfb146ad492b4

  • SSDEEP

    6144:LFQ9jysBHl7PnsmNF9OlRYf9E0Bx4mklpZZT+p51:iMsBHlDGYPVklp7+N

Score
10/10
amadeyredlinepopscollectiondiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.17/hfk3vK9/index.php

Extracted

Family

redline

Botnet

pops

C2

31.41.244.14:4694

Attributes
  • auth_value

    c377eb074ac3f12f85b0ff38d543b16d

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:1916
      • C:\Users\Admin\AppData\Local\Temp\1000002001\laba.exe
        "C:\Users\Admin\AppData\Local\Temp\1000002001\laba.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_win_path
        PID:1984
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0DBA7E4D-0EA3-42FE-A621-F8ACEF43BD78} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      2⤵
      • Executes dropped EXE
      PID:1816
    • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      2⤵
      • Executes dropped EXE
      PID:1548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1000002001\laba.exe
    Filesize

    137KB

    MD5

    9299834655f07e6896b1ff0b9e92c7b4

    SHA1

    acba1e9262b4aebf020758e30326afdc99c714ad

    SHA256

    fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257

    SHA512

    7ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000002001\laba.exe
    Filesize

    137KB

    MD5

    9299834655f07e6896b1ff0b9e92c7b4

    SHA1

    acba1e9262b4aebf020758e30326afdc99c714ad

    SHA256

    fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257

    SHA512

    7ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
    Filesize

    226KB

    MD5

    dedd5c0ac85096e282d51b4784ca2aa4

    SHA1

    18caac5cb1d4d084fa2654477af97c58e95c1281

    SHA256

    6fd43674da08e9cb4e4a6945c2ac41ae6ec1042cc177343797937465da74e263

    SHA512

    554c046c124cb6a1b1538ee1037d36ef5617753743f6199d8192563dc38de777e92775198ba3bce1b49ebcd24092c40b767ca9e16e6c96889fddfb146ad492b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
    Filesize

    226KB

    MD5

    dedd5c0ac85096e282d51b4784ca2aa4

    SHA1

    18caac5cb1d4d084fa2654477af97c58e95c1281

    SHA256

    6fd43674da08e9cb4e4a6945c2ac41ae6ec1042cc177343797937465da74e263

    SHA512

    554c046c124cb6a1b1538ee1037d36ef5617753743f6199d8192563dc38de777e92775198ba3bce1b49ebcd24092c40b767ca9e16e6c96889fddfb146ad492b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
    Filesize

    226KB

    MD5

    dedd5c0ac85096e282d51b4784ca2aa4

    SHA1

    18caac5cb1d4d084fa2654477af97c58e95c1281

    SHA256

    6fd43674da08e9cb4e4a6945c2ac41ae6ec1042cc177343797937465da74e263

    SHA512

    554c046c124cb6a1b1538ee1037d36ef5617753743f6199d8192563dc38de777e92775198ba3bce1b49ebcd24092c40b767ca9e16e6c96889fddfb146ad492b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
    Filesize

    226KB

    MD5

    dedd5c0ac85096e282d51b4784ca2aa4

    SHA1

    18caac5cb1d4d084fa2654477af97c58e95c1281

    SHA256

    6fd43674da08e9cb4e4a6945c2ac41ae6ec1042cc177343797937465da74e263

    SHA512

    554c046c124cb6a1b1538ee1037d36ef5617753743f6199d8192563dc38de777e92775198ba3bce1b49ebcd24092c40b767ca9e16e6c96889fddfb146ad492b4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
    Filesize

    126KB

    MD5

    adbaf286228c46522e50371c4be31a03

    SHA1

    a29d644c4663b2e2b2bd92046ba0df629537c297

    SHA256

    d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

    SHA512

    74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\1000002001\laba.exe
    Filesize

    137KB

    MD5

    9299834655f07e6896b1ff0b9e92c7b4

    SHA1

    acba1e9262b4aebf020758e30326afdc99c714ad

    SHA256

    fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257

    SHA512

    7ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
    Filesize

    226KB

    MD5

    dedd5c0ac85096e282d51b4784ca2aa4

    SHA1

    18caac5cb1d4d084fa2654477af97c58e95c1281

    SHA256

    6fd43674da08e9cb4e4a6945c2ac41ae6ec1042cc177343797937465da74e263

    SHA512

    554c046c124cb6a1b1538ee1037d36ef5617753743f6199d8192563dc38de777e92775198ba3bce1b49ebcd24092c40b767ca9e16e6c96889fddfb146ad492b4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
    Filesize

    226KB

    MD5

    dedd5c0ac85096e282d51b4784ca2aa4

    SHA1

    18caac5cb1d4d084fa2654477af97c58e95c1281

    SHA256

    6fd43674da08e9cb4e4a6945c2ac41ae6ec1042cc177343797937465da74e263

    SHA512

    554c046c124cb6a1b1538ee1037d36ef5617753743f6199d8192563dc38de777e92775198ba3bce1b49ebcd24092c40b767ca9e16e6c96889fddfb146ad492b4

    Download Submit

  • \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
    Filesize

    126KB

    MD5

    adbaf286228c46522e50371c4be31a03

    SHA1

    a29d644c4663b2e2b2bd92046ba0df629537c297

    SHA256

    d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

    SHA512

    74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

    Download Submit

  • \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
    Filesize

    126KB

    MD5

    adbaf286228c46522e50371c4be31a03

    SHA1

    a29d644c4663b2e2b2bd92046ba0df629537c297

    SHA256

    d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

    SHA512

    74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

    Download Submit

  • \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
    Filesize

    126KB

    MD5

    adbaf286228c46522e50371c4be31a03

    SHA1

    a29d644c4663b2e2b2bd92046ba0df629537c297

    SHA256

    d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

    SHA512

    74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

    Download Submit

  • \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
    Filesize

    126KB

    MD5

    adbaf286228c46522e50371c4be31a03

    SHA1

    a29d644c4663b2e2b2bd92046ba0df629537c297

    SHA256

    d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

    SHA512

    74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

    Download Submit

  • memory/932-65-0x000000000028B000-0x00000000002AA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/932-66-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/932-70-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/932-69-0x000000000028B000-0x00000000002AA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/932-60-0x0000000000000000-mapping.dmp

    Download

  • memory/956-63-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/956-62-0x00000000008FB000-0x000000000091A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/956-57-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/956-54-0x0000000075931000-0x0000000075933000-memory.dmp

    Filesize

    8KB

    Download

  • memory/956-56-0x0000000000220000-0x000000000025E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/956-55-0x00000000008FB000-0x000000000091A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1548-93-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1548-92-0x000000000088B000-0x00000000008AA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1548-89-0x0000000000000000-mapping.dmp

    Download

  • memory/1652-75-0x00000000003B0000-0x00000000003D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1652-72-0x0000000000000000-mapping.dmp

    Download

  • memory/1816-88-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1816-87-0x000000000083B000-0x000000000085A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1816-84-0x0000000000000000-mapping.dmp

    Download

  • memory/1916-67-0x0000000000000000-mapping.dmp

    Download

  • memory/1984-77-0x0000000000000000-mapping.dmp

    Download