Analysis
-
max time kernel
146s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 09:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
358KB
-
MD5
9aa75e68077b6931ceb2614e8c4398ab
-
SHA1
a1004d12ab58eb3716ec1a427be7d7beffac5529
-
SHA256
ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
-
SHA512
816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
SSDEEP
6144:NoHGyQyL3QzpZeQ50O4IV9FuyHJAkavffVN+F:Nomy7jQzpZx0O59s+JAdVN+F
Malware Config
Extracted
amadey
3.50
77.73.133.72/hfk3vK9/index.php
Extracted
redline
@2023@
193.106.191.138:32796
-
auth_value
ca057e5baadfd0774a34a6a949cd5e69
Signatures
-
Detect Amadey credential stealer module 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module behavioral2/memory/4640-169-0x0000000000780000-0x00000000007A4000-memory.dmp amadey_cred_module C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 59 4640 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
gntuud.exesoftx64.exegntuud.exegntuud.exepid process 4836 gntuud.exe 4716 softx64.exe 4968 gntuud.exe 4784 gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 4640 rundll32.exe 4640 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\softx64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\softx64.exe" gntuud.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
softx64.exedescription pid process target process PID 4716 set thread context of 4156 4716 softx64.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1432 3516 WerFault.exe file.exe 404 4716 WerFault.exe softx64.exe 4468 4968 WerFault.exe gntuud.exe 3244 4784 WerFault.exe gntuud.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exerundll32.exepid process 4156 vbc.exe 4640 rundll32.exe 4640 rundll32.exe 4640 rundll32.exe 4640 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4156 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
file.exegntuud.exesoftx64.exedescription pid process target process PID 3516 wrote to memory of 4836 3516 file.exe gntuud.exe PID 3516 wrote to memory of 4836 3516 file.exe gntuud.exe PID 3516 wrote to memory of 4836 3516 file.exe gntuud.exe PID 4836 wrote to memory of 2128 4836 gntuud.exe schtasks.exe PID 4836 wrote to memory of 2128 4836 gntuud.exe schtasks.exe PID 4836 wrote to memory of 2128 4836 gntuud.exe schtasks.exe PID 4836 wrote to memory of 4716 4836 gntuud.exe softx64.exe PID 4836 wrote to memory of 4716 4836 gntuud.exe softx64.exe PID 4836 wrote to memory of 4716 4836 gntuud.exe softx64.exe PID 4716 wrote to memory of 4156 4716 softx64.exe vbc.exe PID 4716 wrote to memory of 4156 4716 softx64.exe vbc.exe PID 4716 wrote to memory of 4156 4716 softx64.exe vbc.exe PID 4716 wrote to memory of 4156 4716 softx64.exe vbc.exe PID 4716 wrote to memory of 4156 4716 softx64.exe vbc.exe PID 4836 wrote to memory of 4640 4836 gntuud.exe rundll32.exe PID 4836 wrote to memory of 4640 4836 gntuud.exe rundll32.exe PID 4836 wrote to memory of 4640 4836 gntuud.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 3244⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 12602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3516 -ip 35161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4716 -ip 47161⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4968 -ip 49681⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4784 -ip 47841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD535be18acaf8431872ea2d376d87f136e
SHA190a57a41395e0bcdab44febb91c3f51b63a04071
SHA25646a2d43772995ed2cdb6ab834e9fe14ed6011b2bad904203d61b0f1af25c1f2b
SHA51225a08fc7787a1cfebe4471a10e6fc7e8fd21df4187b03a1ae501eef8792e6bbb34fb9a158634e814fd7b74f412253403faed6ebb2b0a4bc42351dc90a6649085
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD535be18acaf8431872ea2d376d87f136e
SHA190a57a41395e0bcdab44febb91c3f51b63a04071
SHA25646a2d43772995ed2cdb6ab834e9fe14ed6011b2bad904203d61b0f1af25c1f2b
SHA51225a08fc7787a1cfebe4471a10e6fc7e8fd21df4187b03a1ae501eef8792e6bbb34fb9a158634e814fd7b74f412253403faed6ebb2b0a4bc42351dc90a6649085
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
memory/2128-140-0x0000000000000000-mapping.dmp
-
memory/3516-138-0x00000000004A3000-0x00000000004C2000-memory.dmpFilesize
124KB
-
memory/3516-132-0x00000000004A3000-0x00000000004C2000-memory.dmpFilesize
124KB
-
memory/3516-139-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/3516-134-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/3516-133-0x00000000001C0000-0x00000000001FE000-memory.dmpFilesize
248KB
-
memory/4156-147-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4156-159-0x0000000008D20000-0x00000000092C4000-memory.dmpFilesize
5.6MB
-
memory/4156-153-0x0000000007B00000-0x0000000007C0A000-memory.dmpFilesize
1.0MB
-
memory/4156-154-0x00000000079F0000-0x0000000007A02000-memory.dmpFilesize
72KB
-
memory/4156-155-0x0000000007A50000-0x0000000007A8C000-memory.dmpFilesize
240KB
-
memory/4156-156-0x00000000085C0000-0x0000000008626000-memory.dmpFilesize
408KB
-
memory/4156-157-0x00000000086D0000-0x0000000008762000-memory.dmpFilesize
584KB
-
memory/4156-152-0x0000000006170000-0x0000000006788000-memory.dmpFilesize
6.1MB
-
memory/4156-146-0x0000000000000000-mapping.dmp
-
memory/4156-160-0x0000000008940000-0x0000000008B02000-memory.dmpFilesize
1.8MB
-
memory/4156-161-0x0000000009800000-0x0000000009D2C000-memory.dmpFilesize
5.2MB
-
memory/4640-169-0x0000000000780000-0x00000000007A4000-memory.dmpFilesize
144KB
-
memory/4640-165-0x0000000000000000-mapping.dmp
-
memory/4716-143-0x0000000000000000-mapping.dmp
-
memory/4784-171-0x0000000000524000-0x0000000000543000-memory.dmpFilesize
124KB
-
memory/4784-172-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4836-141-0x0000000000583000-0x00000000005A2000-memory.dmpFilesize
124KB
-
memory/4836-158-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4836-142-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4836-135-0x0000000000000000-mapping.dmp
-
memory/4968-164-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4968-163-0x00000000004B4000-0x00000000004D3000-memory.dmpFilesize
124KB