Overview

overview

10

Static

static

10

c7c03c2d6a...8d.exe

windows7-x64

10

c7c03c2d6a...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2022 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe

  • Size

    29KB

  • MD5

    1496b98fe0530da47982105a87a69bce

  • SHA1

    00719a1b168c8baa3827a161326b157713f9a07a

  • SHA256

    c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

  • SHA512

    286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

  • SSDEEP

    768:en3FjOzFQjRuGjXi2nZFwn3SGTfMve9L0hPOZ:eaQ3Xi2ni3SKfMkLw

Score
10/10
amadeyredlinesmokeloadergoldbackdoordiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

GOLD

C2

45.138.16.105:30305

Attributes
  • auth_value

    4f782696884d580a958a158781386d86

Extracted

Family

amadey

Version

3.50

C2

1h3art.me/i4kvjd3xc/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Smokeloader packer 8 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe
    "C:\Users\Admin\AppData\Local\Temp\c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1096
  • C:\Users\Admin\AppData\Local\Temp\350A.exe
    C:\Users\Admin\AppData\Local\Temp\350A.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4608
  • C:\Users\Admin\AppData\Local\Temp\3578.exe
    C:\Users\Admin\AppData\Local\Temp\3578.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:2280
      • C:\Users\Admin\AppData\Roaming\1000089000\stub.exe
        "C:\Users\Admin\AppData\Roaming\1000089000\stub.exe"
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:2604
  • C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
    C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
    1⤵
    • Executes dropped EXE
    PID:3076
  • C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
    C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
    1⤵
    • Executes dropped EXE
    PID:2324
  • C:\Users\Admin\AppData\Roaming\vvvsaer
    C:\Users\Admin\AppData\Roaming\vvvsaer
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:4832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\350A.exe
    Filesize

    175KB

    MD5

    41e675184373c3cd9774a54af1d1b05d

    SHA1

    a32a1fe0674fa649d7983ad6638720dc791493cb

    SHA256

    8790b9d76fda4062efadf905201eb5dab93a756d01c97e6c9a194a874f348af7

    SHA512

    45cd993b184a32bab90bdcc435eef1f3ec5f91456c2b2c0b2e2a29eb69c66ab6cc4f829406078437459405f20f41cf396408f3e6c59d061c1ebe24486f486fea

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\350A.exe
    Filesize

    175KB

    MD5

    41e675184373c3cd9774a54af1d1b05d

    SHA1

    a32a1fe0674fa649d7983ad6638720dc791493cb

    SHA256

    8790b9d76fda4062efadf905201eb5dab93a756d01c97e6c9a194a874f348af7

    SHA512

    45cd993b184a32bab90bdcc435eef1f3ec5f91456c2b2c0b2e2a29eb69c66ab6cc4f829406078437459405f20f41cf396408f3e6c59d061c1ebe24486f486fea

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3578.exe
    Filesize

    241KB

    MD5

    3c0eaa80d5332030e07f85fbd5960044

    SHA1

    4f3495495a1eb31709949979dc78c23406eb9648

    SHA256

    d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

    SHA512

    4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3578.exe
    Filesize

    241KB

    MD5

    3c0eaa80d5332030e07f85fbd5960044

    SHA1

    4f3495495a1eb31709949979dc78c23406eb9648

    SHA256

    d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

    SHA512

    4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
    Filesize

    241KB

    MD5

    3c0eaa80d5332030e07f85fbd5960044

    SHA1

    4f3495495a1eb31709949979dc78c23406eb9648

    SHA256

    d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

    SHA512

    4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
    Filesize

    241KB

    MD5

    3c0eaa80d5332030e07f85fbd5960044

    SHA1

    4f3495495a1eb31709949979dc78c23406eb9648

    SHA256

    d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

    SHA512

    4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
    Filesize

    241KB

    MD5

    3c0eaa80d5332030e07f85fbd5960044

    SHA1

    4f3495495a1eb31709949979dc78c23406eb9648

    SHA256

    d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

    SHA512

    4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
    Filesize

    241KB

    MD5

    3c0eaa80d5332030e07f85fbd5960044

    SHA1

    4f3495495a1eb31709949979dc78c23406eb9648

    SHA256

    d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

    SHA512

    4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

    Download Submit
  • C:\Users\Admin\AppData\Roaming\1000089000\stub.exe
    Filesize

    29KB

    MD5

    1496b98fe0530da47982105a87a69bce

    SHA1

    00719a1b168c8baa3827a161326b157713f9a07a

    SHA256

    c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

    SHA512

    286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\1000089000\stub.exe
    Filesize

    29KB

    MD5

    1496b98fe0530da47982105a87a69bce

    SHA1

    00719a1b168c8baa3827a161326b157713f9a07a

    SHA256

    c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

    SHA512

    286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\vvvsaer
    Filesize

    29KB

    MD5

    1496b98fe0530da47982105a87a69bce

    SHA1

    00719a1b168c8baa3827a161326b157713f9a07a

    SHA256

    c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

    SHA512

    286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\vvvsaer
    Filesize

    29KB

    MD5

    1496b98fe0530da47982105a87a69bce

    SHA1

    00719a1b168c8baa3827a161326b157713f9a07a

    SHA256

    c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

    SHA512

    286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

    Download Submit
  • memory/1096-132-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1096-133-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2260-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2280-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2604-153-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2604-149-0x0000000000000000-mapping.dmp
    Download
  • memory/2604-152-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4012-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4608-145-0x0000000005910000-0x0000000005F28000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4608-146-0x0000000005450000-0x000000000555A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4608-154-0x00000000056F0000-0x0000000005756000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4608-155-0x00000000062D0000-0x0000000006362000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4608-156-0x0000000006920000-0x0000000006EC4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4608-148-0x00000000053E0000-0x000000000541C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4608-158-0x00000000064F0000-0x0000000006566000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4608-159-0x0000000006570000-0x00000000065C0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4608-160-0x0000000006ED0000-0x0000000007092000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4608-161-0x00000000075D0000-0x0000000007AFC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4608-147-0x0000000005380000-0x0000000005392000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4608-140-0x00000000009C0000-0x00000000009F2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4608-134-0x0000000000000000-mapping.dmp
    Download