Analysis
-
max time kernel
97s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 09:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
358KB
-
MD5
9aa75e68077b6931ceb2614e8c4398ab
-
SHA1
a1004d12ab58eb3716ec1a427be7d7beffac5529
-
SHA256
ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
-
SHA512
816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
SSDEEP
6144:NoHGyQyL3QzpZeQ50O4IV9FuyHJAkavffVN+F:Nomy7jQzpZx0O59s+JAdVN+F
Malware Config
Extracted
amadey
3.50
77.73.133.72/hfk3vK9/index.php
Extracted
redline
@2023@
193.106.191.138:32796
-
auth_value
ca057e5baadfd0774a34a6a949cd5e69
Signatures
-
Detect Amadey credential stealer module 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 8 2044 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
gntuud.exesoftx64.exegntuud.exegntuud.exepid process 1204 gntuud.exe 1676 softx64.exe 1556 gntuud.exe 1328 gntuud.exe -
Loads dropped DLL 8 IoCs
Processes:
file.exegntuud.exerundll32.exepid process 1424 file.exe 1424 file.exe 1204 gntuud.exe 1204 gntuud.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\softx64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\softx64.exe" gntuud.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
softx64.exedescription pid process target process PID 1676 set thread context of 1124 1676 softx64.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exerundll32.exepid process 1124 vbc.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1124 vbc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
file.exegntuud.exesoftx64.exetaskeng.exedescription pid process target process PID 1424 wrote to memory of 1204 1424 file.exe gntuud.exe PID 1424 wrote to memory of 1204 1424 file.exe gntuud.exe PID 1424 wrote to memory of 1204 1424 file.exe gntuud.exe PID 1424 wrote to memory of 1204 1424 file.exe gntuud.exe PID 1204 wrote to memory of 2040 1204 gntuud.exe schtasks.exe PID 1204 wrote to memory of 2040 1204 gntuud.exe schtasks.exe PID 1204 wrote to memory of 2040 1204 gntuud.exe schtasks.exe PID 1204 wrote to memory of 2040 1204 gntuud.exe schtasks.exe PID 1204 wrote to memory of 1676 1204 gntuud.exe softx64.exe PID 1204 wrote to memory of 1676 1204 gntuud.exe softx64.exe PID 1204 wrote to memory of 1676 1204 gntuud.exe softx64.exe PID 1204 wrote to memory of 1676 1204 gntuud.exe softx64.exe PID 1676 wrote to memory of 1124 1676 softx64.exe vbc.exe PID 1676 wrote to memory of 1124 1676 softx64.exe vbc.exe PID 1676 wrote to memory of 1124 1676 softx64.exe vbc.exe PID 1676 wrote to memory of 1124 1676 softx64.exe vbc.exe PID 1676 wrote to memory of 1124 1676 softx64.exe vbc.exe PID 1676 wrote to memory of 1124 1676 softx64.exe vbc.exe PID 624 wrote to memory of 1556 624 taskeng.exe gntuud.exe PID 624 wrote to memory of 1556 624 taskeng.exe gntuud.exe PID 624 wrote to memory of 1556 624 taskeng.exe gntuud.exe PID 624 wrote to memory of 1556 624 taskeng.exe gntuud.exe PID 1204 wrote to memory of 2044 1204 gntuud.exe rundll32.exe PID 1204 wrote to memory of 2044 1204 gntuud.exe rundll32.exe PID 1204 wrote to memory of 2044 1204 gntuud.exe rundll32.exe PID 1204 wrote to memory of 2044 1204 gntuud.exe rundll32.exe PID 1204 wrote to memory of 2044 1204 gntuud.exe rundll32.exe PID 1204 wrote to memory of 2044 1204 gntuud.exe rundll32.exe PID 1204 wrote to memory of 2044 1204 gntuud.exe rundll32.exe PID 624 wrote to memory of 1328 624 taskeng.exe gntuud.exe PID 624 wrote to memory of 1328 624 taskeng.exe gntuud.exe PID 624 wrote to memory of 1328 624 taskeng.exe gntuud.exe PID 624 wrote to memory of 1328 624 taskeng.exe gntuud.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {8A0D1CCF-6210-429B-A2BC-0E22698C74A5} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD535be18acaf8431872ea2d376d87f136e
SHA190a57a41395e0bcdab44febb91c3f51b63a04071
SHA25646a2d43772995ed2cdb6ab834e9fe14ed6011b2bad904203d61b0f1af25c1f2b
SHA51225a08fc7787a1cfebe4471a10e6fc7e8fd21df4187b03a1ae501eef8792e6bbb34fb9a158634e814fd7b74f412253403faed6ebb2b0a4bc42351dc90a6649085
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD535be18acaf8431872ea2d376d87f136e
SHA190a57a41395e0bcdab44febb91c3f51b63a04071
SHA25646a2d43772995ed2cdb6ab834e9fe14ed6011b2bad904203d61b0f1af25c1f2b
SHA51225a08fc7787a1cfebe4471a10e6fc7e8fd21df4187b03a1ae501eef8792e6bbb34fb9a158634e814fd7b74f412253403faed6ebb2b0a4bc42351dc90a6649085
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD535be18acaf8431872ea2d376d87f136e
SHA190a57a41395e0bcdab44febb91c3f51b63a04071
SHA25646a2d43772995ed2cdb6ab834e9fe14ed6011b2bad904203d61b0f1af25c1f2b
SHA51225a08fc7787a1cfebe4471a10e6fc7e8fd21df4187b03a1ae501eef8792e6bbb34fb9a158634e814fd7b74f412253403faed6ebb2b0a4bc42351dc90a6649085
-
\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
memory/1124-82-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1124-83-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1124-81-0x000000000041B5B2-mapping.dmp
-
memory/1124-74-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1124-76-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1204-65-0x0000000000568000-0x0000000000587000-memory.dmpFilesize
124KB
-
memory/1204-58-0x0000000000000000-mapping.dmp
-
memory/1204-63-0x0000000000568000-0x0000000000587000-memory.dmpFilesize
124KB
-
memory/1204-66-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1204-84-0x0000000000568000-0x0000000000587000-memory.dmpFilesize
124KB
-
memory/1204-85-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1328-101-0x0000000000000000-mapping.dmp
-
memory/1328-103-0x0000000000578000-0x0000000000597000-memory.dmpFilesize
124KB
-
memory/1328-105-0x0000000000578000-0x0000000000597000-memory.dmpFilesize
124KB
-
memory/1328-106-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1424-54-0x00000000004E8000-0x0000000000507000-memory.dmpFilesize
124KB
-
memory/1424-55-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1424-61-0x00000000002A0000-0x00000000002DE000-memory.dmpFilesize
248KB
-
memory/1424-62-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1424-60-0x00000000004E8000-0x0000000000507000-memory.dmpFilesize
124KB
-
memory/1556-87-0x0000000000000000-mapping.dmp
-
memory/1556-92-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1556-91-0x00000000005C8000-0x00000000005E7000-memory.dmpFilesize
124KB
-
memory/1556-89-0x00000000005C8000-0x00000000005E7000-memory.dmpFilesize
124KB
-
memory/1676-71-0x0000000000000000-mapping.dmp
-
memory/2040-67-0x0000000000000000-mapping.dmp
-
memory/2044-100-0x0000000000121000-0x000000000013B000-memory.dmpFilesize
104KB
-
memory/2044-93-0x0000000000000000-mapping.dmp