Analysis
-
max time kernel
110s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
04-12-2022 15:49
General
-
Target
file.exe
-
Size
380KB
-
MD5
92b1303e8e81c503d90b4118d927e27f
-
SHA1
2249da32fd9faefdba7852cee1d82ed6e9fb8039
-
SHA256
b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
-
SHA512
0aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
SSDEEP
6144:dXDiBP0cJURpxslD2mwRxJwXXDRVymlglAIG1PF:dXDiB3UbSlD2fRxJkT7yWgljG
Malware Config
Extracted
amadey
3.50
31.41.244.167/v7eWcjs/index.php
Extracted
redline
NewDef2023
185.106.92.214:2510
-
auth_value
048f34b18865578890538db10b2e9edf
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {F13A396A-CF1A-49FF-AC13-D6B3F17826E6} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exeFilesize
461KB
MD51412198b256f623630accf61dde12487
SHA134e3cf0fd6969f0b7bf857a33cb638f9c617106f
SHA2567e21201bce1ac386ae78ca7cd6f8b12649c61462dca2191997e9ba978f9df13f
SHA51270635349f58d5087f5fe847014a69f7f4fe51e093e48fd753268866d0a1b653b396def759f9faf9fa0ee9fe9477c7939e88cc7177305003606925ac73f137622
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Local\Temp\1000006001\anon.exeFilesize
461KB
MD51412198b256f623630accf61dde12487
SHA134e3cf0fd6969f0b7bf857a33cb638f9c617106f
SHA2567e21201bce1ac386ae78ca7cd6f8b12649c61462dca2191997e9ba978f9df13f
SHA51270635349f58d5087f5fe847014a69f7f4fe51e093e48fd753268866d0a1b653b396def759f9faf9fa0ee9fe9477c7939e88cc7177305003606925ac73f137622
-
\Users\Admin\AppData\Local\Temp\1000006001\anon.exeFilesize
461KB
MD51412198b256f623630accf61dde12487
SHA134e3cf0fd6969f0b7bf857a33cb638f9c617106f
SHA2567e21201bce1ac386ae78ca7cd6f8b12649c61462dca2191997e9ba978f9df13f
SHA51270635349f58d5087f5fe847014a69f7f4fe51e093e48fd753268866d0a1b653b396def759f9faf9fa0ee9fe9477c7939e88cc7177305003606925ac73f137622
-
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD592b1303e8e81c503d90b4118d927e27f
SHA12249da32fd9faefdba7852cee1d82ed6e9fb8039
SHA256b1c15a59178bd6b2e621f9aef502e329f3bffdeffcdc0e8f16e808b2b91666df
SHA5120aa2628a1b744e3640e8231290660b0886561a439f12f8fbb68b557e4f84cd4eae6ecb8833abf374b7a8bef3e46c3f74913add1f67aa17f45a9ed6232526dac3
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
memory/320-63-0x0000000000000000-mapping.dmp
-
memory/840-93-0x0000000000161000-0x000000000017B000-memory.dmpFilesize
104KB
-
memory/840-86-0x0000000000000000-mapping.dmp
-
memory/976-75-0x0000000002020000-0x000000000205C000-memory.dmpFilesize
240KB
-
memory/976-69-0x0000000000000000-mapping.dmp
-
memory/976-74-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/976-79-0x000000000062A000-0x000000000065B000-memory.dmpFilesize
196KB
-
memory/976-80-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/976-73-0x0000000000220000-0x000000000025E000-memory.dmpFilesize
248KB
-
memory/976-72-0x000000000062A000-0x000000000065B000-memory.dmpFilesize
196KB
-
memory/976-71-0x0000000001F90000-0x0000000001FCE000-memory.dmpFilesize
248KB
-
memory/1372-57-0x0000000000000000-mapping.dmp
-
memory/1372-77-0x000000000026A000-0x0000000000289000-memory.dmpFilesize
124KB
-
memory/1372-78-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1372-65-0x000000000026A000-0x0000000000289000-memory.dmpFilesize
124KB
-
memory/1372-66-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1376-61-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1376-59-0x000000000063A000-0x0000000000658000-memory.dmpFilesize
120KB
-
memory/1376-60-0x0000000000260000-0x000000000029E000-memory.dmpFilesize
248KB
-
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1620-85-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-84-0x000000000051A000-0x0000000000538000-memory.dmpFilesize
120KB
-
memory/1620-81-0x0000000000000000-mapping.dmp
-
memory/1740-94-0x0000000000000000-mapping.dmp
-
memory/1740-98-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1740-97-0x000000000050A000-0x0000000000528000-memory.dmpFilesize
120KB