Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01/12/2022, 13:55
General
-
Target
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
-
Size
186KB
-
MD5
98e9926dc94f2e19a162caa2f69c0923
-
SHA1
b5780ca5951d762f73b3df1ec77f6b0b13aeb970
-
SHA256
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361
-
SHA512
c966e8f8502d8311e0f6b8c4d5fc14285a05f416889389cd1378e03ccf4118c1e39fdcfd018b7e8bec8204374201e31733d8bbdaff733c511302b1b448be2d1f
-
SSDEEP
3072:1lYYMWAkYsG5y3j6/XwSYcLpsGPqqi3zfSDAbEaqd:OkYsj3j6YSYcLKGPqrjf3Ea0
Malware Config
Extracted
amadey
3.50
62.204.41.252/nB8cWack3/index.php
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
redline
Lege
31.41.244.14:4694
-
auth_value
096090aaf3ba0872338140cec5689868
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 4 IoCs
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 4 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe"C:\Users\Admin\AppData\Local\Temp\5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\51F8.exeC:\Users\Admin\AppData\Local\Temp\51F8.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe"C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe"C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\PtU1.AM4⤵
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 8922⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\59D9.exeC:\Users\Admin\AppData\Local\Temp\59D9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 2402⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\619A.exeC:\Users\Admin\AppData\Local\Temp\619A.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3588 -ip 35881⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2264 -ip 22641⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4976 -ip 49761⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 4162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3812 -ip 38121⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 4162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3948 -ip 39481⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD587ef06885fd221a86bba9e5b86a7ea7d
SHA16644db86f2d557167f442a5fe72a82de3fe943ba
SHA256ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f
SHA512c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0
-
Filesize
137KB
MD587ef06885fd221a86bba9e5b86a7ea7d
SHA16644db86f2d557167f442a5fe72a82de3fe943ba
SHA256ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f
SHA512c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0
-
Filesize
137KB
MD50a793a6b9941c49675a47a2bc91cb420
SHA1ff051cc2d9cf081e863f5bb8c3d2449c28f12c7f
SHA2563bb977fda504647a2f21a19b67c3edf91ea1eb35166258164eb89b8ae1603c60
SHA512fd695f62ef32f79f3b4e5c57c68056b004355d5a16e6558bfb310f8ded03c837fe5f505f5a4f433a740fa0b980a71962571c3dd4ed86d95146a22f126850dc36
-
Filesize
137KB
MD50a793a6b9941c49675a47a2bc91cb420
SHA1ff051cc2d9cf081e863f5bb8c3d2449c28f12c7f
SHA2563bb977fda504647a2f21a19b67c3edf91ea1eb35166258164eb89b8ae1603c60
SHA512fd695f62ef32f79f3b4e5c57c68056b004355d5a16e6558bfb310f8ded03c837fe5f505f5a4f433a740fa0b980a71962571c3dd4ed86d95146a22f126850dc36
-
Filesize
1.6MB
MD5bcf73a95d7cff6a563a899d1f7d8c0b0
SHA182bd1029a51a67d8b569cc48808ebb714a22748b
SHA256ffee0c4fbb5e0dd85bed62198229736f95517dc3a72a307083a4d35b31e57ed4
SHA51250c3499fd3bbebcb31f180f11fb8722114f6768be3ad688ae045f9e5e63ad78e99054f01df2865854087c2d2f432cb61598cd4bf816289eb82791c2a9dbde591
-
Filesize
1.6MB
MD5bcf73a95d7cff6a563a899d1f7d8c0b0
SHA182bd1029a51a67d8b569cc48808ebb714a22748b
SHA256ffee0c4fbb5e0dd85bed62198229736f95517dc3a72a307083a4d35b31e57ed4
SHA51250c3499fd3bbebcb31f180f11fb8722114f6768be3ad688ae045f9e5e63ad78e99054f01df2865854087c2d2f432cb61598cd4bf816289eb82791c2a9dbde591
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
4.6MB
MD5c6ded8762cdd4b6dfd1786a86dd14527
SHA1fad44e357fca7c944fef59f75ecb33f2a0737d53
SHA2567b58f4a4d1f500506201a5e4c0f5842351caf8070863999d8166684786ffc0cb
SHA51200e2a36bf88283f9c560e9c55e40ac2779922b02cb6dcfb84f3df56ff82f9a779fb1c04f3ad009a5049773d27e8baefa137bd653266461409ec3733483fe38dd
-
Filesize
4.6MB
MD5c6ded8762cdd4b6dfd1786a86dd14527
SHA1fad44e357fca7c944fef59f75ecb33f2a0737d53
SHA2567b58f4a4d1f500506201a5e4c0f5842351caf8070863999d8166684786ffc0cb
SHA51200e2a36bf88283f9c560e9c55e40ac2779922b02cb6dcfb84f3df56ff82f9a779fb1c04f3ad009a5049773d27e8baefa137bd653266461409ec3733483fe38dd
-
Filesize
1.2MB
MD5d21c0fcfdc6a04825225418b294160cc
SHA17566a4019ae9792de349c9b2482aa04091b48df4
SHA2561eff9b58c3850c4e75b20b622255c04c994c11c2f4da649ec0815058e5bb765c
SHA5121ee892f0eba2dd2a55b4bd4f80fd290ed9146306dd17d2e91165972a59870300d7ebfa73a445b8927c83730f86849889f978e7ac0497433aff896f1a5a62b97b
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
1.5MB
MD549ad213d3e2f304c2170118fab55cc54
SHA14c8ceac0d9bd32611ed8b3f5dca85f451911e7fb
SHA25611c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff
SHA512562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43
-
Filesize
1.5MB
MD549ad213d3e2f304c2170118fab55cc54
SHA14c8ceac0d9bd32611ed8b3f5dca85f451911e7fb
SHA25611c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff
SHA512562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43
-
Filesize
1.5MB
MD549ad213d3e2f304c2170118fab55cc54
SHA14c8ceac0d9bd32611ed8b3f5dca85f451911e7fb
SHA25611c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff
SHA512562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43
-
Filesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a
-
Filesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a
-
Filesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
400KB
-
Filesize
36KB
-
Filesize
68KB
-
Filesize
400KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
124KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
124KB
-
Filesize
160KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
144KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
124KB
-
Filesize
248KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
1024KB
-
Filesize
4.1MB
-
Filesize
4.1MB
-
Filesize
3.9MB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
72KB
-
Filesize
160KB
-
Filesize
320KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
584KB