Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
417KB
-
MD5
f3370586810e9233e1a0857d656c04d4
-
SHA1
95b45511f5d0ce2174e5cd6878c8d8a870c31403
-
SHA256
61dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
-
SHA512
6d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
SSDEEP
6144:3BcyyxL5cn1RbPge5D4yXqjvXaW33qd1yigSxW5PDDPMk:32yuVcn1RzgeFRk3nwyz6W5P
Malware Config
Extracted
amadey
3.50
77.73.133.72/hfk3vK9/index.php
Extracted
redline
@2023@
193.106.191.138:32796
-
auth_value
ca057e5baadfd0774a34a6a949cd5e69
Signatures
-
Detect Amadey credential stealer module 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 1112 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
gntuud.exesoftx64.exegntuud.exegntuud.exepid process 2044 gntuud.exe 1352 softx64.exe 1640 gntuud.exe 1288 gntuud.exe -
Loads dropped DLL 11 IoCs
Processes:
file.exegntuud.exeWerFault.exerundll32.exepid process 1584 file.exe 1584 file.exe 2044 gntuud.exe 2044 gntuud.exe 1556 WerFault.exe 1556 WerFault.exe 1556 WerFault.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\softx64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\softx64.exe" gntuud.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
softx64.exedescription pid process target process PID 1352 set thread context of 1084 1352 softx64.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1556 1352 WerFault.exe softx64.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exerundll32.exepid process 1084 vbc.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1084 vbc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
file.exegntuud.exesoftx64.exetaskeng.exedescription pid process target process PID 1584 wrote to memory of 2044 1584 file.exe gntuud.exe PID 1584 wrote to memory of 2044 1584 file.exe gntuud.exe PID 1584 wrote to memory of 2044 1584 file.exe gntuud.exe PID 1584 wrote to memory of 2044 1584 file.exe gntuud.exe PID 2044 wrote to memory of 1748 2044 gntuud.exe schtasks.exe PID 2044 wrote to memory of 1748 2044 gntuud.exe schtasks.exe PID 2044 wrote to memory of 1748 2044 gntuud.exe schtasks.exe PID 2044 wrote to memory of 1748 2044 gntuud.exe schtasks.exe PID 2044 wrote to memory of 1352 2044 gntuud.exe softx64.exe PID 2044 wrote to memory of 1352 2044 gntuud.exe softx64.exe PID 2044 wrote to memory of 1352 2044 gntuud.exe softx64.exe PID 2044 wrote to memory of 1352 2044 gntuud.exe softx64.exe PID 1352 wrote to memory of 1084 1352 softx64.exe vbc.exe PID 1352 wrote to memory of 1084 1352 softx64.exe vbc.exe PID 1352 wrote to memory of 1084 1352 softx64.exe vbc.exe PID 1352 wrote to memory of 1084 1352 softx64.exe vbc.exe PID 1352 wrote to memory of 1084 1352 softx64.exe vbc.exe PID 1352 wrote to memory of 1084 1352 softx64.exe vbc.exe PID 1352 wrote to memory of 1556 1352 softx64.exe WerFault.exe PID 1352 wrote to memory of 1556 1352 softx64.exe WerFault.exe PID 1352 wrote to memory of 1556 1352 softx64.exe WerFault.exe PID 1352 wrote to memory of 1556 1352 softx64.exe WerFault.exe PID 2044 wrote to memory of 1112 2044 gntuud.exe rundll32.exe PID 2044 wrote to memory of 1112 2044 gntuud.exe rundll32.exe PID 2044 wrote to memory of 1112 2044 gntuud.exe rundll32.exe PID 2044 wrote to memory of 1112 2044 gntuud.exe rundll32.exe PID 2044 wrote to memory of 1112 2044 gntuud.exe rundll32.exe PID 2044 wrote to memory of 1112 2044 gntuud.exe rundll32.exe PID 2044 wrote to memory of 1112 2044 gntuud.exe rundll32.exe PID 2036 wrote to memory of 1640 2036 taskeng.exe gntuud.exe PID 2036 wrote to memory of 1640 2036 taskeng.exe gntuud.exe PID 2036 wrote to memory of 1640 2036 taskeng.exe gntuud.exe PID 2036 wrote to memory of 1640 2036 taskeng.exe gntuud.exe PID 2036 wrote to memory of 1288 2036 taskeng.exe gntuud.exe PID 2036 wrote to memory of 1288 2036 taskeng.exe gntuud.exe PID 2036 wrote to memory of 1288 2036 taskeng.exe gntuud.exe PID 2036 wrote to memory of 1288 2036 taskeng.exe gntuud.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 364⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {1ACF88AE-83BB-4FA8-AE4A-BD3AE90407DD} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
memory/1084-80-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/1084-78-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/1084-87-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/1084-86-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/1084-85-0x000000000009B5B2-mapping.dmp
-
memory/1112-93-0x0000000000000000-mapping.dmp
-
memory/1112-100-0x0000000000121000-0x000000000013B000-memory.dmpFilesize
104KB
-
memory/1288-107-0x0000000000000000-mapping.dmp
-
memory/1288-112-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1288-111-0x0000000000588000-0x00000000005A7000-memory.dmpFilesize
124KB
-
memory/1288-109-0x0000000000588000-0x00000000005A7000-memory.dmpFilesize
124KB
-
memory/1352-76-0x0000000000000000-mapping.dmp
-
memory/1556-88-0x0000000000000000-mapping.dmp
-
memory/1584-65-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1584-55-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/1584-64-0x00000000002A0000-0x00000000002DE000-memory.dmpFilesize
248KB
-
memory/1584-63-0x00000000004F8000-0x0000000000517000-memory.dmpFilesize
124KB
-
memory/1584-58-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1584-57-0x00000000002A0000-0x00000000002DE000-memory.dmpFilesize
248KB
-
memory/1584-54-0x00000000004F8000-0x0000000000517000-memory.dmpFilesize
124KB
-
memory/1584-56-0x00000000004F8000-0x0000000000517000-memory.dmpFilesize
124KB
-
memory/1640-105-0x00000000005F8000-0x0000000000617000-memory.dmpFilesize
124KB
-
memory/1640-106-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1640-101-0x0000000000000000-mapping.dmp
-
memory/1640-103-0x00000000005F8000-0x0000000000617000-memory.dmpFilesize
124KB
-
memory/1748-68-0x0000000000000000-mapping.dmp
-
memory/2044-61-0x0000000000000000-mapping.dmp
-
memory/2044-73-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/2044-66-0x0000000000618000-0x0000000000637000-memory.dmpFilesize
124KB
-
memory/2044-70-0x0000000000618000-0x0000000000637000-memory.dmpFilesize
124KB
-
memory/2044-72-0x0000000000618000-0x0000000000637000-memory.dmpFilesize
124KB
-
memory/2044-71-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB