Analysis
-
max time kernel
110s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
380KB
-
MD5
92b1303e8e81c503d90b4118d927e27f
-
SHA1
2249da32fd9faefdba7852cee1d82ed6e9fb8039
-
SHA256
b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
-
SHA512
0aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
SSDEEP
6144:dXDiBP0cJURpxslD2mwRxJwXXDRVymlglAIG1PF:dXDiB3UbSlD2fRxJkT7yWgljG
Malware Config
Extracted
amadey
3.50
31.41.244.167/v7eWcjs/index.php
Extracted
redline
NewDef2023
185.106.92.214:2510
-
auth_value
048f34b18865578890538db10b2e9edf
Signatures
-
Detect Amadey credential stealer module 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/976-71-0x0000000001F90000-0x0000000001FCE000-memory.dmp family_redline behavioral1/memory/976-75-0x0000000002020000-0x000000000205C000-memory.dmp family_redline -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 840 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
gntuud.exeanon.exegntuud.exegntuud.exepid process 1372 gntuud.exe 976 anon.exe 1620 gntuud.exe 1740 gntuud.exe -
Loads dropped DLL 8 IoCs
Processes:
file.exegntuud.exerundll32.exepid process 1376 file.exe 1376 file.exe 1372 gntuud.exe 1372 gntuud.exe 840 rundll32.exe 840 rundll32.exe 840 rundll32.exe 840 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\anon.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000006001\\anon.exe" gntuud.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
anon.exerundll32.exepid process 976 anon.exe 976 anon.exe 840 rundll32.exe 840 rundll32.exe 840 rundll32.exe 840 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
anon.exedescription pid process Token: SeDebugPrivilege 976 anon.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
file.exegntuud.exetaskeng.exedescription pid process target process PID 1376 wrote to memory of 1372 1376 file.exe gntuud.exe PID 1376 wrote to memory of 1372 1376 file.exe gntuud.exe PID 1376 wrote to memory of 1372 1376 file.exe gntuud.exe PID 1376 wrote to memory of 1372 1376 file.exe gntuud.exe PID 1372 wrote to memory of 320 1372 gntuud.exe schtasks.exe PID 1372 wrote to memory of 320 1372 gntuud.exe schtasks.exe PID 1372 wrote to memory of 320 1372 gntuud.exe schtasks.exe PID 1372 wrote to memory of 320 1372 gntuud.exe schtasks.exe PID 1372 wrote to memory of 976 1372 gntuud.exe anon.exe PID 1372 wrote to memory of 976 1372 gntuud.exe anon.exe PID 1372 wrote to memory of 976 1372 gntuud.exe anon.exe PID 1372 wrote to memory of 976 1372 gntuud.exe anon.exe PID 1892 wrote to memory of 1620 1892 taskeng.exe gntuud.exe PID 1892 wrote to memory of 1620 1892 taskeng.exe gntuud.exe PID 1892 wrote to memory of 1620 1892 taskeng.exe gntuud.exe PID 1892 wrote to memory of 1620 1892 taskeng.exe gntuud.exe PID 1372 wrote to memory of 840 1372 gntuud.exe rundll32.exe PID 1372 wrote to memory of 840 1372 gntuud.exe rundll32.exe PID 1372 wrote to memory of 840 1372 gntuud.exe rundll32.exe PID 1372 wrote to memory of 840 1372 gntuud.exe rundll32.exe PID 1372 wrote to memory of 840 1372 gntuud.exe rundll32.exe PID 1372 wrote to memory of 840 1372 gntuud.exe rundll32.exe PID 1372 wrote to memory of 840 1372 gntuud.exe rundll32.exe PID 1892 wrote to memory of 1740 1892 taskeng.exe gntuud.exe PID 1892 wrote to memory of 1740 1892 taskeng.exe gntuud.exe PID 1892 wrote to memory of 1740 1892 taskeng.exe gntuud.exe PID 1892 wrote to memory of 1740 1892 taskeng.exe gntuud.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {F13A396A-CF1A-49FF-AC13-D6B3F17826E6} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exeFilesize
461KB
MD51412198b256f623630accf61dde12487
SHA134e3cf0fd6969f0b7bf857a33cb638f9c617106f
SHA2567e21201bce1ac386ae78ca7cd6f8b12649c61462dca2191997e9ba978f9df13f
SHA51270635349f58d5087f5fe847014a69f7f4fe51e093e48fd753268866d0a1b653b396def759f9faf9fa0ee9fe9477c7939e88cc7177305003606925ac73f137622
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Local\Temp\1000006001\anon.exeFilesize
461KB
MD51412198b256f623630accf61dde12487
SHA134e3cf0fd6969f0b7bf857a33cb638f9c617106f
SHA2567e21201bce1ac386ae78ca7cd6f8b12649c61462dca2191997e9ba978f9df13f
SHA51270635349f58d5087f5fe847014a69f7f4fe51e093e48fd753268866d0a1b653b396def759f9faf9fa0ee9fe9477c7939e88cc7177305003606925ac73f137622
-
\Users\Admin\AppData\Local\Temp\1000006001\anon.exeFilesize
461KB
MD51412198b256f623630accf61dde12487
SHA134e3cf0fd6969f0b7bf857a33cb638f9c617106f
SHA2567e21201bce1ac386ae78ca7cd6f8b12649c61462dca2191997e9ba978f9df13f
SHA51270635349f58d5087f5fe847014a69f7f4fe51e093e48fd753268866d0a1b653b396def759f9faf9fa0ee9fe9477c7939e88cc7177305003606925ac73f137622
-
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
memory/320-63-0x0000000000000000-mapping.dmp
-
memory/840-93-0x0000000000161000-0x000000000017B000-memory.dmpFilesize
104KB
-
memory/840-86-0x0000000000000000-mapping.dmp
-
memory/976-75-0x0000000002020000-0x000000000205C000-memory.dmpFilesize
240KB
-
memory/976-69-0x0000000000000000-mapping.dmp
-
memory/976-74-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/976-79-0x000000000062A000-0x000000000065B000-memory.dmpFilesize
196KB
-
memory/976-80-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/976-73-0x0000000000220000-0x000000000025E000-memory.dmpFilesize
248KB
-
memory/976-72-0x000000000062A000-0x000000000065B000-memory.dmpFilesize
196KB
-
memory/976-71-0x0000000001F90000-0x0000000001FCE000-memory.dmpFilesize
248KB
-
memory/1372-57-0x0000000000000000-mapping.dmp
-
memory/1372-77-0x000000000026A000-0x0000000000289000-memory.dmpFilesize
124KB
-
memory/1372-78-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1372-65-0x000000000026A000-0x0000000000289000-memory.dmpFilesize
124KB
-
memory/1372-66-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1376-61-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1376-59-0x000000000063A000-0x0000000000658000-memory.dmpFilesize
120KB
-
memory/1376-60-0x0000000000260000-0x000000000029E000-memory.dmpFilesize
248KB
-
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1620-85-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-84-0x000000000051A000-0x0000000000538000-memory.dmpFilesize
120KB
-
memory/1620-81-0x0000000000000000-mapping.dmp
-
memory/1740-94-0x0000000000000000-mapping.dmp
-
memory/1740-98-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1740-97-0x000000000050A000-0x0000000000528000-memory.dmpFilesize
120KB