Analysis
-
max time kernel
99s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
417KB
-
MD5
ab398d4d818725d0d0a2b5abba54f2e8
-
SHA1
8ad764a1bd4d1b743602b89707c6d85a22f0642b
-
SHA256
cceb75ae68e8a9ed006e36bd335ca011bfbce3c96de676c1d469bc65fb3894bb
-
SHA512
a56af409cb7f3ce1fe02859979ea3ed26968a09352008c6c53bf67390c6db94c5f387f1aee7bedc5e04946887597a5f97421321b3cbcaeb1259b014add8c5a1e
-
SSDEEP
6144:Gc3yMJLj512cbW/G00qHixTxxmBHd3JufGWhd1xMyigGPMk:GWysP512ck5d0TXmd+NhWyz
Malware Config
Extracted
amadey
3.50
77.73.133.72/hfk3vK9/index.php
Extracted
redline
@2023@
193.106.191.138:32796
-
auth_value
ca057e5baadfd0774a34a6a949cd5e69
Signatures
-
Detect Amadey credential stealer module 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 1680 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
gntuud.exesoftx64.exegntuud.exegntuud.exepid process 1716 gntuud.exe 1644 softx64.exe 1752 gntuud.exe 1728 gntuud.exe -
Loads dropped DLL 11 IoCs
Processes:
file.exegntuud.exeWerFault.exerundll32.exepid process 1752 file.exe 1752 file.exe 1716 gntuud.exe 1716 gntuud.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1680 rundll32.exe 1680 rundll32.exe 1680 rundll32.exe 1680 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\softx64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\softx64.exe" gntuud.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
softx64.exedescription pid process target process PID 1644 set thread context of 1636 1644 softx64.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1668 1644 WerFault.exe softx64.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exerundll32.exepid process 1636 vbc.exe 1680 rundll32.exe 1680 rundll32.exe 1680 rundll32.exe 1680 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1636 vbc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
file.exegntuud.exesoftx64.exetaskeng.exedescription pid process target process PID 1752 wrote to memory of 1716 1752 file.exe gntuud.exe PID 1752 wrote to memory of 1716 1752 file.exe gntuud.exe PID 1752 wrote to memory of 1716 1752 file.exe gntuud.exe PID 1752 wrote to memory of 1716 1752 file.exe gntuud.exe PID 1716 wrote to memory of 1708 1716 gntuud.exe schtasks.exe PID 1716 wrote to memory of 1708 1716 gntuud.exe schtasks.exe PID 1716 wrote to memory of 1708 1716 gntuud.exe schtasks.exe PID 1716 wrote to memory of 1708 1716 gntuud.exe schtasks.exe PID 1716 wrote to memory of 1644 1716 gntuud.exe softx64.exe PID 1716 wrote to memory of 1644 1716 gntuud.exe softx64.exe PID 1716 wrote to memory of 1644 1716 gntuud.exe softx64.exe PID 1716 wrote to memory of 1644 1716 gntuud.exe softx64.exe PID 1644 wrote to memory of 1636 1644 softx64.exe vbc.exe PID 1644 wrote to memory of 1636 1644 softx64.exe vbc.exe PID 1644 wrote to memory of 1636 1644 softx64.exe vbc.exe PID 1644 wrote to memory of 1636 1644 softx64.exe vbc.exe PID 1644 wrote to memory of 1636 1644 softx64.exe vbc.exe PID 1644 wrote to memory of 1636 1644 softx64.exe vbc.exe PID 1644 wrote to memory of 1668 1644 softx64.exe WerFault.exe PID 1644 wrote to memory of 1668 1644 softx64.exe WerFault.exe PID 1644 wrote to memory of 1668 1644 softx64.exe WerFault.exe PID 1644 wrote to memory of 1668 1644 softx64.exe WerFault.exe PID 1788 wrote to memory of 1752 1788 taskeng.exe gntuud.exe PID 1788 wrote to memory of 1752 1788 taskeng.exe gntuud.exe PID 1788 wrote to memory of 1752 1788 taskeng.exe gntuud.exe PID 1788 wrote to memory of 1752 1788 taskeng.exe gntuud.exe PID 1716 wrote to memory of 1680 1716 gntuud.exe rundll32.exe PID 1716 wrote to memory of 1680 1716 gntuud.exe rundll32.exe PID 1716 wrote to memory of 1680 1716 gntuud.exe rundll32.exe PID 1716 wrote to memory of 1680 1716 gntuud.exe rundll32.exe PID 1716 wrote to memory of 1680 1716 gntuud.exe rundll32.exe PID 1716 wrote to memory of 1680 1716 gntuud.exe rundll32.exe PID 1716 wrote to memory of 1680 1716 gntuud.exe rundll32.exe PID 1788 wrote to memory of 1728 1788 taskeng.exe gntuud.exe PID 1788 wrote to memory of 1728 1788 taskeng.exe gntuud.exe PID 1788 wrote to memory of 1728 1788 taskeng.exe gntuud.exe PID 1788 wrote to memory of 1728 1788 taskeng.exe gntuud.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 364⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {9246543F-BF81-4E0C-86F8-6C65C1ACC033} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD57eeef796f094d4f0d0a898dfcaeb59e9
SHA1d9471c923e11e32e4af2dbf091d25aae6ecd9466
SHA25658567be43d8183543f190c62c3a28be2c3d8cd85005f2ad58613a810eeaa8ab1
SHA51231b7cbfc6b087887d3cbf1ccd8738d499ca5f28ed03c90be6ace8ca244aa84a95515b666eeac0068a24ef0119400702210281fe43033830ed85be5eafbd3c3e9
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5ab398d4d818725d0d0a2b5abba54f2e8
SHA18ad764a1bd4d1b743602b89707c6d85a22f0642b
SHA256cceb75ae68e8a9ed006e36bd335ca011bfbce3c96de676c1d469bc65fb3894bb
SHA512a56af409cb7f3ce1fe02859979ea3ed26968a09352008c6c53bf67390c6db94c5f387f1aee7bedc5e04946887597a5f97421321b3cbcaeb1259b014add8c5a1e
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5ab398d4d818725d0d0a2b5abba54f2e8
SHA18ad764a1bd4d1b743602b89707c6d85a22f0642b
SHA256cceb75ae68e8a9ed006e36bd335ca011bfbce3c96de676c1d469bc65fb3894bb
SHA512a56af409cb7f3ce1fe02859979ea3ed26968a09352008c6c53bf67390c6db94c5f387f1aee7bedc5e04946887597a5f97421321b3cbcaeb1259b014add8c5a1e
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5ab398d4d818725d0d0a2b5abba54f2e8
SHA18ad764a1bd4d1b743602b89707c6d85a22f0642b
SHA256cceb75ae68e8a9ed006e36bd335ca011bfbce3c96de676c1d469bc65fb3894bb
SHA512a56af409cb7f3ce1fe02859979ea3ed26968a09352008c6c53bf67390c6db94c5f387f1aee7bedc5e04946887597a5f97421321b3cbcaeb1259b014add8c5a1e
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5ab398d4d818725d0d0a2b5abba54f2e8
SHA18ad764a1bd4d1b743602b89707c6d85a22f0642b
SHA256cceb75ae68e8a9ed006e36bd335ca011bfbce3c96de676c1d469bc65fb3894bb
SHA512a56af409cb7f3ce1fe02859979ea3ed26968a09352008c6c53bf67390c6db94c5f387f1aee7bedc5e04946887597a5f97421321b3cbcaeb1259b014add8c5a1e
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD57eeef796f094d4f0d0a898dfcaeb59e9
SHA1d9471c923e11e32e4af2dbf091d25aae6ecd9466
SHA25658567be43d8183543f190c62c3a28be2c3d8cd85005f2ad58613a810eeaa8ab1
SHA51231b7cbfc6b087887d3cbf1ccd8738d499ca5f28ed03c90be6ace8ca244aa84a95515b666eeac0068a24ef0119400702210281fe43033830ed85be5eafbd3c3e9
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD57eeef796f094d4f0d0a898dfcaeb59e9
SHA1d9471c923e11e32e4af2dbf091d25aae6ecd9466
SHA25658567be43d8183543f190c62c3a28be2c3d8cd85005f2ad58613a810eeaa8ab1
SHA51231b7cbfc6b087887d3cbf1ccd8738d499ca5f28ed03c90be6ace8ca244aa84a95515b666eeac0068a24ef0119400702210281fe43033830ed85be5eafbd3c3e9
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD57eeef796f094d4f0d0a898dfcaeb59e9
SHA1d9471c923e11e32e4af2dbf091d25aae6ecd9466
SHA25658567be43d8183543f190c62c3a28be2c3d8cd85005f2ad58613a810eeaa8ab1
SHA51231b7cbfc6b087887d3cbf1ccd8738d499ca5f28ed03c90be6ace8ca244aa84a95515b666eeac0068a24ef0119400702210281fe43033830ed85be5eafbd3c3e9
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD57eeef796f094d4f0d0a898dfcaeb59e9
SHA1d9471c923e11e32e4af2dbf091d25aae6ecd9466
SHA25658567be43d8183543f190c62c3a28be2c3d8cd85005f2ad58613a810eeaa8ab1
SHA51231b7cbfc6b087887d3cbf1ccd8738d499ca5f28ed03c90be6ace8ca244aa84a95515b666eeac0068a24ef0119400702210281fe43033830ed85be5eafbd3c3e9
-
\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
269KB
MD57eeef796f094d4f0d0a898dfcaeb59e9
SHA1d9471c923e11e32e4af2dbf091d25aae6ecd9466
SHA25658567be43d8183543f190c62c3a28be2c3d8cd85005f2ad58613a810eeaa8ab1
SHA51231b7cbfc6b087887d3cbf1ccd8738d499ca5f28ed03c90be6ace8ca244aa84a95515b666eeac0068a24ef0119400702210281fe43033830ed85be5eafbd3c3e9
-
\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5ab398d4d818725d0d0a2b5abba54f2e8
SHA18ad764a1bd4d1b743602b89707c6d85a22f0642b
SHA256cceb75ae68e8a9ed006e36bd335ca011bfbce3c96de676c1d469bc65fb3894bb
SHA512a56af409cb7f3ce1fe02859979ea3ed26968a09352008c6c53bf67390c6db94c5f387f1aee7bedc5e04946887597a5f97421321b3cbcaeb1259b014add8c5a1e
-
\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
417KB
MD5ab398d4d818725d0d0a2b5abba54f2e8
SHA18ad764a1bd4d1b743602b89707c6d85a22f0642b
SHA256cceb75ae68e8a9ed006e36bd335ca011bfbce3c96de676c1d469bc65fb3894bb
SHA512a56af409cb7f3ce1fe02859979ea3ed26968a09352008c6c53bf67390c6db94c5f387f1aee7bedc5e04946887597a5f97421321b3cbcaeb1259b014add8c5a1e
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
memory/1636-82-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1636-73-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1636-75-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1636-80-0x000000000041B5B2-mapping.dmp
-
memory/1636-81-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1644-71-0x0000000000000000-mapping.dmp
-
memory/1668-83-0x0000000000000000-mapping.dmp
-
memory/1680-96-0x0000000000000000-mapping.dmp
-
memory/1708-65-0x0000000000000000-mapping.dmp
-
memory/1716-58-0x0000000000000000-mapping.dmp
-
memory/1716-89-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1716-67-0x0000000000628000-0x0000000000647000-memory.dmpFilesize
124KB
-
memory/1716-88-0x0000000000628000-0x0000000000647000-memory.dmpFilesize
124KB
-
memory/1716-68-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1716-63-0x0000000000628000-0x0000000000647000-memory.dmpFilesize
124KB
-
memory/1728-103-0x0000000000000000-mapping.dmp
-
memory/1728-108-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1728-107-0x00000000008E8000-0x0000000000907000-memory.dmpFilesize
124KB
-
memory/1728-105-0x00000000008E8000-0x0000000000907000-memory.dmpFilesize
124KB
-
memory/1752-92-0x0000000000528000-0x0000000000547000-memory.dmpFilesize
124KB
-
memory/1752-61-0x00000000002C0000-0x00000000002FE000-memory.dmpFilesize
248KB
-
memory/1752-60-0x0000000000518000-0x0000000000537000-memory.dmpFilesize
124KB
-
memory/1752-54-0x0000000000518000-0x0000000000537000-memory.dmpFilesize
124KB
-
memory/1752-62-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1752-55-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/1752-95-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1752-94-0x0000000000528000-0x0000000000547000-memory.dmpFilesize
124KB
-
memory/1752-90-0x0000000000000000-mapping.dmp