Analysis
-
max time kernel
194s -
max time network
257s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 17:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
332KB
-
MD5
cb224fa9c997ca170553d96aedc36f5e
-
SHA1
40fe73f63ad3eee278f194c321419595f61dad91
-
SHA256
7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
-
SHA512
c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
SSDEEP
6144:ZaR9xA3l8Er8vQ4Ifmc6PoJG4iKWzujBNfIDcJbDTVS:ZaR7AVjrmDoZ6PoJGcwDcJbXVS
Malware Config
Extracted
amadey
3.50
62.204.41.6/p9cWxH/index.php
Extracted
redline
Wish
31.41.244.14:4694
-
auth_value
836b5b05c28f01127949ef1e84b93e92
Signatures
-
Detect Amadey credential stealer module 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 860 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
gntuud.exewish.exebuild333333.exepid process 528 gntuud.exe 108 wish.exe 1160 build333333.exe -
Loads dropped DLL 9 IoCs
Processes:
file.exerundll32.exegntuud.exepid process 1164 file.exe 1164 file.exe 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 528 gntuud.exe 528 gntuud.exe 528 gntuud.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wish.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000012001\\wish.exe" gntuud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exegntuud.exedescription pid process target process PID 1164 wrote to memory of 528 1164 file.exe gntuud.exe PID 1164 wrote to memory of 528 1164 file.exe gntuud.exe PID 1164 wrote to memory of 528 1164 file.exe gntuud.exe PID 1164 wrote to memory of 528 1164 file.exe gntuud.exe PID 528 wrote to memory of 1280 528 gntuud.exe schtasks.exe PID 528 wrote to memory of 1280 528 gntuud.exe schtasks.exe PID 528 wrote to memory of 1280 528 gntuud.exe schtasks.exe PID 528 wrote to memory of 1280 528 gntuud.exe schtasks.exe PID 528 wrote to memory of 860 528 gntuud.exe rundll32.exe PID 528 wrote to memory of 860 528 gntuud.exe rundll32.exe PID 528 wrote to memory of 860 528 gntuud.exe rundll32.exe PID 528 wrote to memory of 860 528 gntuud.exe rundll32.exe PID 528 wrote to memory of 860 528 gntuud.exe rundll32.exe PID 528 wrote to memory of 860 528 gntuud.exe rundll32.exe PID 528 wrote to memory of 860 528 gntuud.exe rundll32.exe PID 528 wrote to memory of 108 528 gntuud.exe wish.exe PID 528 wrote to memory of 108 528 gntuud.exe wish.exe PID 528 wrote to memory of 108 528 gntuud.exe wish.exe PID 528 wrote to memory of 108 528 gntuud.exe wish.exe PID 528 wrote to memory of 1160 528 gntuud.exe build333333.exe PID 528 wrote to memory of 1160 528 gntuud.exe build333333.exe PID 528 wrote to memory of 1160 528 gntuud.exe build333333.exe PID 528 wrote to memory of 1160 528 gntuud.exe build333333.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exeFilesize
175KB
MD58b08fce2936c8363994dda1d6e9ddadf
SHA115cfdfe6e406c0e69d2e6261b898b97eed6f34e2
SHA2563f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991
SHA512925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67
-
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exeFilesize
175KB
MD58b08fce2936c8363994dda1d6e9ddadf
SHA115cfdfe6e406c0e69d2e6261b898b97eed6f34e2
SHA2563f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991
SHA512925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67
-
C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exeFilesize
2.9MB
MD5c9c15c4061ab4de4cb7c473c2760f923
SHA1e64cbcd186178d44a1e8584c417b7d865417be0b
SHA256d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e
SHA5126fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD5cb224fa9c997ca170553d96aedc36f5e
SHA140fe73f63ad3eee278f194c321419595f61dad91
SHA2567c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
SHA512c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD5cb224fa9c997ca170553d96aedc36f5e
SHA140fe73f63ad3eee278f194c321419595f61dad91
SHA2567c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
SHA512c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
\Users\Admin\AppData\Local\Temp\1000012001\wish.exeFilesize
175KB
MD58b08fce2936c8363994dda1d6e9ddadf
SHA115cfdfe6e406c0e69d2e6261b898b97eed6f34e2
SHA2563f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991
SHA512925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67
-
\Users\Admin\AppData\Local\Temp\1000013001\build333333.exeFilesize
2.9MB
MD5c9c15c4061ab4de4cb7c473c2760f923
SHA1e64cbcd186178d44a1e8584c417b7d865417be0b
SHA256d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e
SHA5126fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367
-
\Users\Admin\AppData\Local\Temp\1000013001\build333333.exeFilesize
2.9MB
MD5c9c15c4061ab4de4cb7c473c2760f923
SHA1e64cbcd186178d44a1e8584c417b7d865417be0b
SHA256d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e
SHA5126fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367
-
\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD5cb224fa9c997ca170553d96aedc36f5e
SHA140fe73f63ad3eee278f194c321419595f61dad91
SHA2567c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
SHA512c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD5cb224fa9c997ca170553d96aedc36f5e
SHA140fe73f63ad3eee278f194c321419595f61dad91
SHA2567c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
SHA512c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
memory/108-81-0x00000000003C0000-0x00000000003F2000-memory.dmpFilesize
200KB
-
memory/108-78-0x0000000000000000-mapping.dmp
-
memory/528-69-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/528-66-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/528-65-0x000000000055B000-0x000000000057A000-memory.dmpFilesize
124KB
-
memory/528-59-0x0000000000000000-mapping.dmp
-
memory/860-70-0x0000000000000000-mapping.dmp
-
memory/1160-85-0x0000000000000000-mapping.dmp
-
memory/1164-54-0x0000000076931000-0x0000000076933000-memory.dmpFilesize
8KB
-
memory/1164-63-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1164-62-0x0000000000290000-0x00000000002CE000-memory.dmpFilesize
248KB
-
memory/1164-61-0x000000000030B000-0x000000000032A000-memory.dmpFilesize
124KB
-
memory/1164-56-0x0000000000290000-0x00000000002CE000-memory.dmpFilesize
248KB
-
memory/1164-55-0x000000000030B000-0x000000000032A000-memory.dmpFilesize
124KB
-
memory/1280-67-0x0000000000000000-mapping.dmp