Analysis
-
max time kernel
134s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-11-2022 17:50
General
-
Target
8258ef6191150a9b6610f72c9b584e0e6c71e20fbfaa0e5299375d59427d0fee.exe
-
Size
204KB
-
MD5
385c6b65206461cd6731505c01bcfc47
-
SHA1
d23783d94eb2936f80825419050771e39a7d7bc8
-
SHA256
8258ef6191150a9b6610f72c9b584e0e6c71e20fbfaa0e5299375d59427d0fee
-
SHA512
d47775895d79a3adfb0a70d4e0cb17cc570f329187ae97bb2b44e30ee9479b8a877fde1372b93b84cc5c655eae7d2603def49ce89d8a2c00705ec198e37e99ae
-
SSDEEP
3072:xED6JA4VBveNOy5LPn2hYbVs1sbD5yl+eM7g44IJ7YsFHqG1deOy:JAKBmNtf2Kb1El87g4PGiHbO
Malware Config
Extracted
amadey
3.50
193.56.146.194/h49vlBP/index.php
62.204.41.252/nB8cWack3/index.php
Extracted
redline
pops
31.41.244.14:4694
-
auth_value
c377eb074ac3f12f85b0ff38d543b16d
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8258ef6191150a9b6610f72c9b584e0e6c71e20fbfaa0e5299375d59427d0fee.exe"C:\Users\Admin\AppData\Local\Temp\8258ef6191150a9b6610f72c9b584e0e6c71e20fbfaa0e5299375d59427d0fee.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000150001\Legend.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\Legend.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000013001\ScrummagesSubsisted.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\ScrummagesSubsisted.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 12966⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\1000151001\laba.exe"C:\Users\Admin\AppData\Local\Temp\1000151001\laba.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 11402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 964 -ip 9641⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4048 -ip 40481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2020 -ip 20201⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4340 -ip 43401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000013001\ScrummagesSubsisted.exeFilesize
276KB
MD5dd1fe8b2a7d19b20245234fe3da0ef64
SHA1d93d4e725e89461a598853744061c6a506253dfe
SHA256e56e23b471d4f2e93e9e82fc72cfef98162bc458a5619a6488fda702b4149bf2
SHA51223b8a46094d2399d6cdff24304e6e08c4b04f400a35403b81f8419cdcf0bee09ba60807e9431a65078f6b1ebbb43fbb61527a9ad6b6f7b497a3236317d4e5ab0
-
C:\Users\Admin\AppData\Local\Temp\1000013001\ScrummagesSubsisted.exeFilesize
276KB
MD5dd1fe8b2a7d19b20245234fe3da0ef64
SHA1d93d4e725e89461a598853744061c6a506253dfe
SHA256e56e23b471d4f2e93e9e82fc72cfef98162bc458a5619a6488fda702b4149bf2
SHA51223b8a46094d2399d6cdff24304e6e08c4b04f400a35403b81f8419cdcf0bee09ba60807e9431a65078f6b1ebbb43fbb61527a9ad6b6f7b497a3236317d4e5ab0
-
C:\Users\Admin\AppData\Local\Temp\1000150001\Legend.exeFilesize
241KB
MD5b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1f886edefe8980a61b730a998285a3086955cb800
SHA25693fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2
-
C:\Users\Admin\AppData\Local\Temp\1000150001\Legend.exeFilesize
241KB
MD5b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1f886edefe8980a61b730a998285a3086955cb800
SHA25693fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2
-
C:\Users\Admin\AppData\Local\Temp\1000151001\laba.exeFilesize
137KB
MD59299834655f07e6896b1ff0b9e92c7b4
SHA1acba1e9262b4aebf020758e30326afdc99c714ad
SHA256fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257
SHA5127ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650
-
C:\Users\Admin\AppData\Local\Temp\1000151001\laba.exeFilesize
137KB
MD59299834655f07e6896b1ff0b9e92c7b4
SHA1acba1e9262b4aebf020758e30326afdc99c714ad
SHA256fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257
SHA5127ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
204KB
MD5385c6b65206461cd6731505c01bcfc47
SHA1d23783d94eb2936f80825419050771e39a7d7bc8
SHA2568258ef6191150a9b6610f72c9b584e0e6c71e20fbfaa0e5299375d59427d0fee
SHA512d47775895d79a3adfb0a70d4e0cb17cc570f329187ae97bb2b44e30ee9479b8a877fde1372b93b84cc5c655eae7d2603def49ce89d8a2c00705ec198e37e99ae
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
204KB
MD5385c6b65206461cd6731505c01bcfc47
SHA1d23783d94eb2936f80825419050771e39a7d7bc8
SHA2568258ef6191150a9b6610f72c9b584e0e6c71e20fbfaa0e5299375d59427d0fee
SHA512d47775895d79a3adfb0a70d4e0cb17cc570f329187ae97bb2b44e30ee9479b8a877fde1372b93b84cc5c655eae7d2603def49ce89d8a2c00705ec198e37e99ae
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
204KB
MD5385c6b65206461cd6731505c01bcfc47
SHA1d23783d94eb2936f80825419050771e39a7d7bc8
SHA2568258ef6191150a9b6610f72c9b584e0e6c71e20fbfaa0e5299375d59427d0fee
SHA512d47775895d79a3adfb0a70d4e0cb17cc570f329187ae97bb2b44e30ee9479b8a877fde1372b93b84cc5c655eae7d2603def49ce89d8a2c00705ec198e37e99ae
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
204KB
MD5385c6b65206461cd6731505c01bcfc47
SHA1d23783d94eb2936f80825419050771e39a7d7bc8
SHA2568258ef6191150a9b6610f72c9b584e0e6c71e20fbfaa0e5299375d59427d0fee
SHA512d47775895d79a3adfb0a70d4e0cb17cc570f329187ae97bb2b44e30ee9479b8a877fde1372b93b84cc5c655eae7d2603def49ce89d8a2c00705ec198e37e99ae
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
241KB
MD5b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1f886edefe8980a61b730a998285a3086955cb800
SHA25693fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
241KB
MD5b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1f886edefe8980a61b730a998285a3086955cb800
SHA25693fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
241KB
MD5b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1f886edefe8980a61b730a998285a3086955cb800
SHA25693fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
241KB
MD5b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1f886edefe8980a61b730a998285a3086955cb800
SHA25693fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
memory/964-137-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/964-133-0x0000000002070000-0x00000000020AE000-memory.dmpFilesize
248KB
-
memory/964-132-0x000000000056D000-0x000000000058C000-memory.dmpFilesize
124KB
-
memory/964-142-0x000000000056D000-0x000000000058C000-memory.dmpFilesize
124KB
-
memory/2020-157-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/2020-156-0x00000000005E0000-0x000000000061E000-memory.dmpFilesize
248KB
-
memory/2020-150-0x0000000000000000-mapping.dmp
-
memory/2020-158-0x00000000054C0000-0x0000000005AD8000-memory.dmpFilesize
6.1MB
-
memory/2020-159-0x00000000052D0000-0x00000000053DA000-memory.dmpFilesize
1.0MB
-
memory/2020-160-0x0000000005400000-0x0000000005412000-memory.dmpFilesize
72KB
-
memory/2020-161-0x0000000005420000-0x000000000545C000-memory.dmpFilesize
240KB
-
memory/2020-185-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/2020-155-0x00000000006FD000-0x000000000072D000-memory.dmpFilesize
192KB
-
memory/2020-154-0x0000000004BE0000-0x0000000004C72000-memory.dmpFilesize
584KB
-
memory/2020-153-0x0000000004CC0000-0x0000000005264000-memory.dmpFilesize
5.6MB
-
memory/3396-169-0x0000000005C70000-0x0000000005CE6000-memory.dmpFilesize
472KB
-
memory/3396-162-0x0000000000000000-mapping.dmp
-
memory/3396-168-0x00000000059F0000-0x0000000005A56000-memory.dmpFilesize
408KB
-
memory/3396-165-0x0000000000220000-0x0000000000248000-memory.dmpFilesize
160KB
-
memory/3396-170-0x0000000005BF0000-0x0000000005C40000-memory.dmpFilesize
320KB
-
memory/3396-171-0x00000000065E0000-0x00000000067A2000-memory.dmpFilesize
1.8MB
-
memory/3396-172-0x0000000006CE0000-0x000000000720C000-memory.dmpFilesize
5.2MB
-
memory/4048-183-0x00000000004BF000-0x00000000004DE000-memory.dmpFilesize
124KB
-
memory/4048-184-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4132-134-0x0000000000000000-mapping.dmp
-
memory/4132-141-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4132-166-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4132-167-0x000000000057D000-0x000000000059C000-memory.dmpFilesize
124KB
-
memory/4132-140-0x0000000002080000-0x00000000020BE000-memory.dmpFilesize
248KB
-
memory/4132-139-0x000000000057D000-0x000000000059C000-memory.dmpFilesize
124KB
-
memory/4304-143-0x0000000000000000-mapping.dmp
-
memory/4340-188-0x000000000069F000-0x00000000006BE000-memory.dmpFilesize
124KB
-
memory/4340-189-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4588-173-0x0000000000000000-mapping.dmp
-
memory/4596-180-0x0000000001FD0000-0x0000000001FF4000-memory.dmpFilesize
144KB
-
memory/4596-176-0x0000000000000000-mapping.dmp
-
memory/4820-138-0x0000000000000000-mapping.dmp
-
memory/4928-149-0x0000000000000000-mapping.dmp
-
memory/4960-146-0x0000000000000000-mapping.dmp