Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    214s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    331KB

  • MD5

    008a0ba6dce7fc04132a2e11096c822c

  • SHA1

    4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

  • SHA256

    440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

  • SHA512

    65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

  • SSDEEP

    6144:NCHVs7DyEPUAQwU8KxZsNdlJbR2gOjIDcgeVS:NC1ODxPUAwxYP1JdDcgeVS

Score
10/10
amadeyredlinenoshcollectioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.167/v7eWcjs/index.php

Extracted

Family

redline

Botnet

nosh

C2

31.41.244.14:4683

Attributes
  • auth_value

    7455ba4498ca1bfb73b0efbf830fb9b4

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 6 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:1504
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_win_path
        PID:4992
      • C:\Users\Admin\AppData\Local\Temp\1000013001\nash.exe
        "C:\Users\Admin\AppData\Local\Temp\1000013001\nash.exe"
        3⤵
        • Executes dropped EXE
        PID:4032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1304
      2⤵
      • Program crash
      PID:1136
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1308
      2⤵
      • Program crash
      PID:3352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1224
      2⤵
      • Program crash
      PID:4916
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 208 -ip 208
    1⤵
      PID:1884
    • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      1⤵
      • Executes dropped EXE
      PID:3116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 544
        2⤵
        • Program crash
        PID:4468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 796
        2⤵
        • Program crash
        PID:4748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 804
        2⤵
        • Program crash
        PID:4160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3116 -ip 3116
      1⤵
        PID:3248
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 208 -ip 208
        1⤵
          PID:3836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 208 -ip 208
          1⤵
            PID:3640
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3116 -ip 3116
            1⤵
              PID:1520
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3116 -ip 3116
              1⤵
                PID:4716

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Scheduled Task

              1
              T1053

              Persistence

              Scheduled Task

              1
              T1053

              Privilege Escalation

              Scheduled Task

              1
              T1053

              Defense Evasion

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\1000013001\nash.exe
                Filesize

                175KB

                MD5

                f9021651b165064dfbe6662f543e1792

                SHA1

                104ab0e4fb3302dd77489f9d41ee28b60d06adc0

                SHA256

                fc0e730c9b09606eb09f91f39d9e780f005bd0f1674ee411cbb0de75acbe4bae

                SHA512

                1b747dd451092bfa6115c0993e7ad84b4262cbf4b0b91f6418544d5796d145b9cc6fec8bcf4b6a63644b9458f987469ded3580ac6aa378cb435fe86fe14ab96f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\1000013001\nash.exe
                Filesize

                175KB

                MD5

                f9021651b165064dfbe6662f543e1792

                SHA1

                104ab0e4fb3302dd77489f9d41ee28b60d06adc0

                SHA256

                fc0e730c9b09606eb09f91f39d9e780f005bd0f1674ee411cbb0de75acbe4bae

                SHA512

                1b747dd451092bfa6115c0993e7ad84b4262cbf4b0b91f6418544d5796d145b9cc6fec8bcf4b6a63644b9458f987469ded3580ac6aa378cb435fe86fe14ab96f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
                Filesize

                331KB

                MD5

                008a0ba6dce7fc04132a2e11096c822c

                SHA1

                4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

                SHA256

                440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

                SHA512

                65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
                Filesize

                331KB

                MD5

                008a0ba6dce7fc04132a2e11096c822c

                SHA1

                4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

                SHA256

                440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

                SHA512

                65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
                Filesize

                331KB

                MD5

                008a0ba6dce7fc04132a2e11096c822c

                SHA1

                4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

                SHA256

                440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

                SHA512

                65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

                Download Submit
              • C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
                Filesize

                126KB

                MD5

                aebf8cd9ea982decded5ee6f3777c6d7

                SHA1

                406e723158cd5697503d1d04839d3bc7a5051603

                SHA256

                104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

                SHA512

                f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

                Download Submit
              • C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
                Filesize

                126KB

                MD5

                aebf8cd9ea982decded5ee6f3777c6d7

                SHA1

                406e723158cd5697503d1d04839d3bc7a5051603

                SHA256

                104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

                SHA512

                f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

                Download Submit
              • memory/208-132-0x0000000000799000-0x00000000007B8000-memory.dmp
                Filesize

                124KB

                Download
              • memory/208-142-0x0000000000799000-0x00000000007B8000-memory.dmp
                Filesize

                124KB

                Download
              • memory/208-143-0x0000000000400000-0x0000000000471000-memory.dmp
                Filesize

                452KB

                Download
              • memory/208-134-0x0000000000400000-0x0000000000471000-memory.dmp
                Filesize

                452KB

                Download
              • memory/208-154-0x0000000000400000-0x0000000000471000-memory.dmp
                Filesize

                452KB

                Download
              • memory/208-133-0x00000000005C0000-0x00000000005FE000-memory.dmp
                Filesize

                248KB

                Download
              • memory/1504-138-0x0000000000000000-mapping.dmp
                Download
              • memory/2800-140-0x0000000001FB0000-0x0000000001FEE000-memory.dmp
                Filesize

                248KB

                Download
              • memory/2800-141-0x0000000000400000-0x0000000000471000-memory.dmp
                Filesize

                452KB

                Download
              • memory/2800-135-0x0000000000000000-mapping.dmp
                Download
              • memory/2800-139-0x0000000000728000-0x0000000000747000-memory.dmp
                Filesize

                124KB

                Download
              • memory/3116-146-0x0000000000400000-0x0000000000471000-memory.dmp
                Filesize

                452KB

                Download
              • memory/3116-145-0x00000000005EC000-0x000000000060A000-memory.dmp
                Filesize

                120KB

                Download
              • memory/3116-159-0x0000000000400000-0x0000000000471000-memory.dmp
                Filesize

                452KB

                Download
              • memory/4032-150-0x0000000000000000-mapping.dmp
                Download
              • memory/4032-153-0x00000000008F0000-0x0000000000922000-memory.dmp
                Filesize

                200KB

                Download
              • memory/4032-155-0x0000000005800000-0x0000000005E18000-memory.dmp
                Filesize

                6.1MB

                Download
              • memory/4032-156-0x0000000005380000-0x000000000548A000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/4032-157-0x00000000052B0000-0x00000000052C2000-memory.dmp
                Filesize

                72KB

                Download
              • memory/4032-158-0x0000000005490000-0x00000000054CC000-memory.dmp
                Filesize

                240KB

                Download
              • memory/4992-147-0x0000000000000000-mapping.dmp
                Download