Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
06-12-2022 02:43
General
-
Target
eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe
-
Size
331KB
-
MD5
69f4b2f80e0bb8ae4b22e14d2fb4ed87
-
SHA1
43e11e9ff4a7473bb4b03c8df232b65e3422302e
-
SHA256
eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
-
SHA512
b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
SSDEEP
6144:+ZLTnLkTdx5/lGB+vtRGYVauDSIDcMCVS:+ZL7LIlVvtnVaQDcBVS
Malware Config
Extracted
amadey
3.50
77.73.133.72/hfk3vK9/index.php
Extracted
redline
@2023
79.137.192.28:20723
-
auth_value
93b4b7d0dc8e9415e261a402587c6710
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 4 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 19 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe"C:\Users\Admin\AppData\Local\Temp\eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 3364⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 13042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 13122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 13082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1612 -ip 16121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1612 -ip 16121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1612 -ip 16121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 672 -ip 6721⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 5442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 5522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 8362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2832 -ip 28321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2832 -ip 28321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2832 -ip 28321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2832 -ip 28321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2832 -ip 28321⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 5402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 5482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 8162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2460 -ip 24601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2460 -ip 24601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2460 -ip 24601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2460 -ip 24601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2460 -ip 24601⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 5442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 5522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 8162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1588 -ip 15881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD54f7358c27ddf88af37f87127239aaa97
SHA1e6c66e755ad804b66a12d92c88cfe4465bd64710
SHA25680a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6
SHA512d9a9b73ee1ae0ff73915ab6c26f9a347f038b4df2fa3a240be287f83400f67fa9f66d39867132d08aa1f1daa3aee36f60194fdc448333f1e8ec7e6f2e2d41fbd
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD54f7358c27ddf88af37f87127239aaa97
SHA1e6c66e755ad804b66a12d92c88cfe4465bd64710
SHA25680a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6
SHA512d9a9b73ee1ae0ff73915ab6c26f9a347f038b4df2fa3a240be287f83400f67fa9f66d39867132d08aa1f1daa3aee36f60194fdc448333f1e8ec7e6f2e2d41fbd
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
331KB
MD569f4b2f80e0bb8ae4b22e14d2fb4ed87
SHA143e11e9ff4a7473bb4b03c8df232b65e3422302e
SHA256eeb55c67d2c0f71fd723259cf162f67f928dfd2039dcd397660660ea71246a71
SHA512b746170236c027142a7cbd07f4d89a7bf60d6642be0d9a858ff66130e27a3783f5dcf3e3c4fdf9cb0d11dffb85dc8b2879d3ddb331981abd4a4d2058150035fa
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
memory/224-141-0x0000000000000000-mapping.dmp
-
memory/672-142-0x0000000000000000-mapping.dmp
-
memory/1588-181-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1588-180-0x000000000067C000-0x000000000069A000-memory.dmpFilesize
120KB
-
memory/1588-182-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1612-148-0x00000000006C8000-0x00000000006E7000-memory.dmpFilesize
124KB
-
memory/1612-151-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1612-134-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1612-132-0x00000000006C8000-0x00000000006E7000-memory.dmpFilesize
124KB
-
memory/1612-133-0x00000000005F0000-0x000000000062E000-memory.dmpFilesize
248KB
-
memory/2460-178-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2460-177-0x00000000007DC000-0x00000000007FB000-memory.dmpFilesize
124KB
-
memory/2460-176-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2460-175-0x00000000007DC000-0x00000000007FB000-memory.dmpFilesize
124KB
-
memory/2832-158-0x000000000062C000-0x000000000064B000-memory.dmpFilesize
124KB
-
memory/2832-167-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2832-159-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2832-166-0x000000000062C000-0x000000000064B000-memory.dmpFilesize
124KB
-
memory/3404-173-0x00000000007E0000-0x0000000000804000-memory.dmpFilesize
144KB
-
memory/3404-169-0x0000000000000000-mapping.dmp
-
memory/3508-140-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3508-135-0x0000000000000000-mapping.dmp
-
memory/3508-139-0x0000000000520000-0x000000000055E000-memory.dmpFilesize
248KB
-
memory/3508-138-0x0000000000588000-0x00000000005A7000-memory.dmpFilesize
124KB
-
memory/3508-161-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3508-160-0x0000000000588000-0x00000000005A7000-memory.dmpFilesize
124KB
-
memory/4812-156-0x0000000007380000-0x00000000073BC000-memory.dmpFilesize
240KB
-
memory/4812-165-0x0000000008250000-0x0000000008412000-memory.dmpFilesize
1.8MB
-
memory/4812-155-0x0000000007320000-0x0000000007332000-memory.dmpFilesize
72KB
-
memory/4812-154-0x0000000007410000-0x000000000751A000-memory.dmpFilesize
1.0MB
-
memory/4812-153-0x0000000005A80000-0x0000000006098000-memory.dmpFilesize
6.1MB
-
memory/4812-146-0x0000000000540000-0x0000000000572000-memory.dmpFilesize
200KB
-
memory/4812-145-0x0000000000000000-mapping.dmp
-
memory/4812-162-0x0000000008440000-0x00000000089E4000-memory.dmpFilesize
5.6MB
-
memory/4812-168-0x0000000008F20000-0x000000000944C000-memory.dmpFilesize
5.2MB
-
memory/4812-163-0x0000000007F70000-0x0000000008002000-memory.dmpFilesize
584KB
-
memory/4812-164-0x0000000008010000-0x0000000008076000-memory.dmpFilesize
408KB