Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06-12-2022 10:29
General
-
Target
file.exe
-
Size
417KB
-
MD5
f3370586810e9233e1a0857d656c04d4
-
SHA1
95b45511f5d0ce2174e5cd6878c8d8a870c31403
-
SHA256
61dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
-
SHA512
6d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
SSDEEP
6144:3BcyyxL5cn1RbPge5D4yXqjvXaW33qd1yigSxW5PDDPMk:32yuVcn1RzgeFRk3nwyz6W5P
Malware Config
Extracted
amadey
3.50
77.73.133.72/hfk3vK9/index.php
Extracted
redline
@2023@
193.106.191.138:32796
-
auth_value
ca057e5baadfd0774a34a6a949cd5e69
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 11 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 364⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {1ACF88AE-83BB-4FA8-AE4A-BD3AE90407DD} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD510bf7fdbdc5812d14ea2bb8e96b89aaf
SHA116436b5caa6099ce764d0f834ba0ee5e0dea3d3e
SHA256d18b070a3ff98f7eed74caf5573bfdf8615c234bc9fe216b29940b24144c1b2b
SHA5121ac93b3e3d65363b191d829a4d8882632bd6e507ded8bd0a3227e715e6302de2c00a3cd42d40858107024f90fb19ff6ac2b8e3c5a51c3dbb2177177eeb035da6
-
\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5f3370586810e9233e1a0857d656c04d4
SHA195b45511f5d0ce2174e5cd6878c8d8a870c31403
SHA25661dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
SHA5126d37d1de9574fa0315a3d3abe9ba651c2fff069b3e12e2139266325a6b9e7cc836cb30381c6e6b95b2a807bbb98368f73572322151ae7ee7c0ac188727985e03
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
memory/1084-80-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/1084-78-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/1084-87-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/1084-86-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/1084-85-0x000000000009B5B2-mapping.dmp
-
memory/1112-93-0x0000000000000000-mapping.dmp
-
memory/1112-100-0x0000000000121000-0x000000000013B000-memory.dmpFilesize
104KB
-
memory/1288-107-0x0000000000000000-mapping.dmp
-
memory/1288-112-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1288-111-0x0000000000588000-0x00000000005A7000-memory.dmpFilesize
124KB
-
memory/1288-109-0x0000000000588000-0x00000000005A7000-memory.dmpFilesize
124KB
-
memory/1352-76-0x0000000000000000-mapping.dmp
-
memory/1556-88-0x0000000000000000-mapping.dmp
-
memory/1584-65-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1584-55-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/1584-64-0x00000000002A0000-0x00000000002DE000-memory.dmpFilesize
248KB
-
memory/1584-63-0x00000000004F8000-0x0000000000517000-memory.dmpFilesize
124KB
-
memory/1584-58-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1584-57-0x00000000002A0000-0x00000000002DE000-memory.dmpFilesize
248KB
-
memory/1584-54-0x00000000004F8000-0x0000000000517000-memory.dmpFilesize
124KB
-
memory/1584-56-0x00000000004F8000-0x0000000000517000-memory.dmpFilesize
124KB
-
memory/1640-105-0x00000000005F8000-0x0000000000617000-memory.dmpFilesize
124KB
-
memory/1640-106-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1640-101-0x0000000000000000-mapping.dmp
-
memory/1640-103-0x00000000005F8000-0x0000000000617000-memory.dmpFilesize
124KB
-
memory/1748-68-0x0000000000000000-mapping.dmp
-
memory/2044-61-0x0000000000000000-mapping.dmp
-
memory/2044-73-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/2044-66-0x0000000000618000-0x0000000000637000-memory.dmpFilesize
124KB
-
memory/2044-70-0x0000000000618000-0x0000000000637000-memory.dmpFilesize
124KB
-
memory/2044-72-0x0000000000618000-0x0000000000637000-memory.dmpFilesize
124KB
-
memory/2044-71-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB