Analysis
-
max time kernel
224s -
max time network
343s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
424KB
-
MD5
4c6266913d07fb5f0d93a672245bce4d
-
SHA1
7f0350c11ffd551d254b43104b777b037bb483f9
-
SHA256
5466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e
-
SHA512
b0ff6f887110643c08a98800cd62cb320aba82969632539058a998fc90495b4262bdb2feb5b7785380a4e3f54a64ec894da24319040de90a25caf9e84145b794
-
SSDEEP
6144:op6hZKsL6S1a6x3KL01PzJA0S6qm/3ydFBDfxhgAWcoBlC9XcObSaVe:opwZfuS1a65AcO0S6xyjBJMcWCFfS3
Malware Config
Extracted
amadey
3.50
62.204.41.6/p9cWxH/index.php
Extracted
redline
new2811
jamesmillion.xyz:15772
-
auth_value
86a08d2c48d5c5db0c9cb371fb180937
Signatures
-
Detect Amadey credential stealer module 5 IoCs
resource yara_rule behavioral1/files/0x0008000000012300-81.dat amadey_cred_module behavioral1/files/0x0008000000012300-80.dat amadey_cred_module behavioral1/files/0x0008000000012300-79.dat amadey_cred_module behavioral1/files/0x0008000000012300-78.dat amadey_cred_module behavioral1/files/0x0008000000012300-82.dat amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 1660 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1296 gntuud.exe 1020 gntuud.exe 1972 5jk29l2fg.exe 1708 linda5.exe -
Loads dropped DLL 15 IoCs
pid Process 576 file.exe 576 file.exe 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe 1296 gntuud.exe 1296 gntuud.exe 1296 gntuud.exe 1308 WerFault.exe 1308 WerFault.exe 948 rundll32.exe 948 rundll32.exe 948 rundll32.exe 948 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\5jk29l2fg.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000033001\\5jk29l2fg.exe" gntuud.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1972 set thread context of 1032 1972 5jk29l2fg.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1308 1972 WerFault.exe 36 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 576 wrote to memory of 1296 576 file.exe 28 PID 576 wrote to memory of 1296 576 file.exe 28 PID 576 wrote to memory of 1296 576 file.exe 28 PID 576 wrote to memory of 1296 576 file.exe 28 PID 1296 wrote to memory of 1220 1296 gntuud.exe 29 PID 1296 wrote to memory of 1220 1296 gntuud.exe 29 PID 1296 wrote to memory of 1220 1296 gntuud.exe 29 PID 1296 wrote to memory of 1220 1296 gntuud.exe 29 PID 1328 wrote to memory of 1020 1328 taskeng.exe 34 PID 1328 wrote to memory of 1020 1328 taskeng.exe 34 PID 1328 wrote to memory of 1020 1328 taskeng.exe 34 PID 1328 wrote to memory of 1020 1328 taskeng.exe 34 PID 1296 wrote to memory of 1660 1296 gntuud.exe 35 PID 1296 wrote to memory of 1660 1296 gntuud.exe 35 PID 1296 wrote to memory of 1660 1296 gntuud.exe 35 PID 1296 wrote to memory of 1660 1296 gntuud.exe 35 PID 1296 wrote to memory of 1660 1296 gntuud.exe 35 PID 1296 wrote to memory of 1660 1296 gntuud.exe 35 PID 1296 wrote to memory of 1660 1296 gntuud.exe 35 PID 1296 wrote to memory of 1972 1296 gntuud.exe 36 PID 1296 wrote to memory of 1972 1296 gntuud.exe 36 PID 1296 wrote to memory of 1972 1296 gntuud.exe 36 PID 1296 wrote to memory of 1972 1296 gntuud.exe 36 PID 1296 wrote to memory of 1708 1296 gntuud.exe 39 PID 1296 wrote to memory of 1708 1296 gntuud.exe 39 PID 1296 wrote to memory of 1708 1296 gntuud.exe 39 PID 1296 wrote to memory of 1708 1296 gntuud.exe 39 PID 1972 wrote to memory of 1032 1972 5jk29l2fg.exe 38 PID 1972 wrote to memory of 1032 1972 5jk29l2fg.exe 38 PID 1972 wrote to memory of 1032 1972 5jk29l2fg.exe 38 PID 1972 wrote to memory of 1032 1972 5jk29l2fg.exe 38 PID 1972 wrote to memory of 1032 1972 5jk29l2fg.exe 38 PID 1972 wrote to memory of 1032 1972 5jk29l2fg.exe 38 PID 1708 wrote to memory of 1756 1708 linda5.exe 41 PID 1708 wrote to memory of 1756 1708 linda5.exe 41 PID 1708 wrote to memory of 1756 1708 linda5.exe 41 PID 1708 wrote to memory of 1756 1708 linda5.exe 41 PID 1972 wrote to memory of 1308 1972 5jk29l2fg.exe 40 PID 1972 wrote to memory of 1308 1972 5jk29l2fg.exe 40 PID 1972 wrote to memory of 1308 1972 5jk29l2fg.exe 40 PID 1972 wrote to memory of 1308 1972 5jk29l2fg.exe 40 PID 1756 wrote to memory of 948 1756 control.exe 42 PID 1756 wrote to memory of 948 1756 control.exe 42 PID 1756 wrote to memory of 948 1756 control.exe 42 PID 1756 wrote to memory of 948 1756 control.exe 42 PID 1756 wrote to memory of 948 1756 control.exe 42 PID 1756 wrote to memory of 948 1756 control.exe 42 PID 1756 wrote to memory of 948 1756 control.exe 42 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
PID:1220
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\1000033001\5jk29l2fg.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\5jk29l2fg.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵PID:1032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 364⤵
- Loads dropped DLL
- Program crash
PID:1308
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000036001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\linda5.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\EwUYgWZN.A_4⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\EwUYgWZN.A_5⤵
- Loads dropped DLL
PID:948
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0AC00872-4478-468A-B3A7-80C42D2818A7} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe2⤵
- Executes dropped EXE
PID:1020
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
787KB
MD5abacca218986209482f20ed9772c4cf4
SHA12398f39d3a0007ed0fbb5af7a26e4ccce249af9f
SHA256a404da44d49619445b10db9dad87e04456aa18ec88e9fc9ee328e40d8bbf479d
SHA5125a834ae01248f8aac8aa198435d9fb71da3d26fcc23cd66faf1d29dc85a8bdb56464aed336494ea51eef8258fed08ba93cea3bf0f9882961bb4e40d20144afd6
-
Filesize
1.9MB
MD50e9bfabe537314685b87cdcb0844a112
SHA158c3081e273e4805dba197bd921166e0e24077d2
SHA256f66c1bad8db08fdf7d7b8dd7fe0694a8b790591b958076f74d7875dd09b3fb79
SHA5122bc6c7984507d1077204a588cc9ee003ea183a6533817c2c4729b113086d74f2abd9a49877677aa2449a4a94075663896840553569acc5a9aa20b82aad18c425
-
Filesize
1.9MB
MD50e9bfabe537314685b87cdcb0844a112
SHA158c3081e273e4805dba197bd921166e0e24077d2
SHA256f66c1bad8db08fdf7d7b8dd7fe0694a8b790591b958076f74d7875dd09b3fb79
SHA5122bc6c7984507d1077204a588cc9ee003ea183a6533817c2c4729b113086d74f2abd9a49877677aa2449a4a94075663896840553569acc5a9aa20b82aad18c425
-
Filesize
424KB
MD54c6266913d07fb5f0d93a672245bce4d
SHA17f0350c11ffd551d254b43104b777b037bb483f9
SHA2565466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e
SHA512b0ff6f887110643c08a98800cd62cb320aba82969632539058a998fc90495b4262bdb2feb5b7785380a4e3f54a64ec894da24319040de90a25caf9e84145b794
-
Filesize
424KB
MD54c6266913d07fb5f0d93a672245bce4d
SHA17f0350c11ffd551d254b43104b777b037bb483f9
SHA2565466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e
SHA512b0ff6f887110643c08a98800cd62cb320aba82969632539058a998fc90495b4262bdb2feb5b7785380a4e3f54a64ec894da24319040de90a25caf9e84145b794
-
Filesize
424KB
MD54c6266913d07fb5f0d93a672245bce4d
SHA17f0350c11ffd551d254b43104b777b037bb483f9
SHA2565466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e
SHA512b0ff6f887110643c08a98800cd62cb320aba82969632539058a998fc90495b4262bdb2feb5b7785380a4e3f54a64ec894da24319040de90a25caf9e84145b794
-
Filesize
3.6MB
MD5e2400e6cbede2b5a4ad2c9952240731f
SHA1683e3e0ca21ec3557713a3324db1b514f38501e2
SHA256de40b9df50d5d457b356ea0158f3011ee242144f921cfdc32c585f3b94279bab
SHA512e461d2619f02e4fe15697ba406e942ccae7047f2356941e91812acecafaf3c5f34004156783040586475b4c813f852ef2c84f8335fae45c42db867d3deb521c6
-
Filesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
Filesize
787KB
MD5abacca218986209482f20ed9772c4cf4
SHA12398f39d3a0007ed0fbb5af7a26e4ccce249af9f
SHA256a404da44d49619445b10db9dad87e04456aa18ec88e9fc9ee328e40d8bbf479d
SHA5125a834ae01248f8aac8aa198435d9fb71da3d26fcc23cd66faf1d29dc85a8bdb56464aed336494ea51eef8258fed08ba93cea3bf0f9882961bb4e40d20144afd6
-
Filesize
787KB
MD5abacca218986209482f20ed9772c4cf4
SHA12398f39d3a0007ed0fbb5af7a26e4ccce249af9f
SHA256a404da44d49619445b10db9dad87e04456aa18ec88e9fc9ee328e40d8bbf479d
SHA5125a834ae01248f8aac8aa198435d9fb71da3d26fcc23cd66faf1d29dc85a8bdb56464aed336494ea51eef8258fed08ba93cea3bf0f9882961bb4e40d20144afd6
-
Filesize
787KB
MD5abacca218986209482f20ed9772c4cf4
SHA12398f39d3a0007ed0fbb5af7a26e4ccce249af9f
SHA256a404da44d49619445b10db9dad87e04456aa18ec88e9fc9ee328e40d8bbf479d
SHA5125a834ae01248f8aac8aa198435d9fb71da3d26fcc23cd66faf1d29dc85a8bdb56464aed336494ea51eef8258fed08ba93cea3bf0f9882961bb4e40d20144afd6
-
Filesize
787KB
MD5abacca218986209482f20ed9772c4cf4
SHA12398f39d3a0007ed0fbb5af7a26e4ccce249af9f
SHA256a404da44d49619445b10db9dad87e04456aa18ec88e9fc9ee328e40d8bbf479d
SHA5125a834ae01248f8aac8aa198435d9fb71da3d26fcc23cd66faf1d29dc85a8bdb56464aed336494ea51eef8258fed08ba93cea3bf0f9882961bb4e40d20144afd6
-
Filesize
1.9MB
MD50e9bfabe537314685b87cdcb0844a112
SHA158c3081e273e4805dba197bd921166e0e24077d2
SHA256f66c1bad8db08fdf7d7b8dd7fe0694a8b790591b958076f74d7875dd09b3fb79
SHA5122bc6c7984507d1077204a588cc9ee003ea183a6533817c2c4729b113086d74f2abd9a49877677aa2449a4a94075663896840553569acc5a9aa20b82aad18c425
-
Filesize
424KB
MD54c6266913d07fb5f0d93a672245bce4d
SHA17f0350c11ffd551d254b43104b777b037bb483f9
SHA2565466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e
SHA512b0ff6f887110643c08a98800cd62cb320aba82969632539058a998fc90495b4262bdb2feb5b7785380a4e3f54a64ec894da24319040de90a25caf9e84145b794
-
Filesize
424KB
MD54c6266913d07fb5f0d93a672245bce4d
SHA17f0350c11ffd551d254b43104b777b037bb483f9
SHA2565466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e
SHA512b0ff6f887110643c08a98800cd62cb320aba82969632539058a998fc90495b4262bdb2feb5b7785380a4e3f54a64ec894da24319040de90a25caf9e84145b794
-
Filesize
3.6MB
MD5e2400e6cbede2b5a4ad2c9952240731f
SHA1683e3e0ca21ec3557713a3324db1b514f38501e2
SHA256de40b9df50d5d457b356ea0158f3011ee242144f921cfdc32c585f3b94279bab
SHA512e461d2619f02e4fe15697ba406e942ccae7047f2356941e91812acecafaf3c5f34004156783040586475b4c813f852ef2c84f8335fae45c42db867d3deb521c6
-
Filesize
3.6MB
MD5e2400e6cbede2b5a4ad2c9952240731f
SHA1683e3e0ca21ec3557713a3324db1b514f38501e2
SHA256de40b9df50d5d457b356ea0158f3011ee242144f921cfdc32c585f3b94279bab
SHA512e461d2619f02e4fe15697ba406e942ccae7047f2356941e91812acecafaf3c5f34004156783040586475b4c813f852ef2c84f8335fae45c42db867d3deb521c6
-
Filesize
3.6MB
MD5e2400e6cbede2b5a4ad2c9952240731f
SHA1683e3e0ca21ec3557713a3324db1b514f38501e2
SHA256de40b9df50d5d457b356ea0158f3011ee242144f921cfdc32c585f3b94279bab
SHA512e461d2619f02e4fe15697ba406e942ccae7047f2356941e91812acecafaf3c5f34004156783040586475b4c813f852ef2c84f8335fae45c42db867d3deb521c6
-
Filesize
3.6MB
MD5e2400e6cbede2b5a4ad2c9952240731f
SHA1683e3e0ca21ec3557713a3324db1b514f38501e2
SHA256de40b9df50d5d457b356ea0158f3011ee242144f921cfdc32c585f3b94279bab
SHA512e461d2619f02e4fe15697ba406e942ccae7047f2356941e91812acecafaf3c5f34004156783040586475b4c813f852ef2c84f8335fae45c42db867d3deb521c6
-
Filesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
Filesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
Filesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
Filesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1