Analysis
-
max time kernel
141s -
max time network
107s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
10-04-2023 19:28
General
-
Target
9263cb167a13835ce4e9a823ceb0d9174db935c672dd5c396e1c95e4a1d0b845.exe
-
Size
939KB
-
MD5
b2ea987c7a7cab74ed6af78782155d0c
-
SHA1
ee9cab6e043da026d2971effb1c4f1a2c82127ee
-
SHA256
9263cb167a13835ce4e9a823ceb0d9174db935c672dd5c396e1c95e4a1d0b845
-
SHA512
25ae5f37ea03adef30ad4158b2457f7433ed379d2aa88a7e7f3d8f42c80e4157b28e0269e17e21ed87e63e1de7c522562368448f4cf2857a73b307d08e007263
-
SSDEEP
24576:dynNlZHj1wkMGKSic9l4d4efIjtdtfgJCZ4w:4nNlFZyA4d398Z
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
zima
176.113.115.145:4125
-
auth_value
2ef701d510c0d27e8a8e3270281678b1
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9263cb167a13835ce4e9a823ceb0d9174db935c672dd5c396e1c95e4a1d0b845.exe"C:\Users\Admin\AppData\Local\Temp\9263cb167a13835ce4e9a823ceb0d9174db935c672dd5c396e1c95e4a1d0b845.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un609354.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un609354.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un992045.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un992045.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr915141.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr915141.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu856030.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu856030.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk508861.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk508861.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si019478.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si019478.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 6163⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 6963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 8363⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 8483⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 8763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 7363⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 10603⤵
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
Filesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
Filesize
674KB
MD5dbedb4560fe2f00eabe1ae8f0181428e
SHA14a4a0d8c64a6705238c95a19b223f4b4bf27f202
SHA25636f137cbbed5ca16f4aef1ef2bb7a6d5905776f5cc0aa61da81a7f7c0ed2728e
SHA5124c70169dc88c8fc47b646790d8602745da72993bbdcb5cc907655ecd8a09ebd264ef86abaf9259770cdfac2e2fdb03061645efc2bc244da249303b55d50e7996
-
Filesize
674KB
MD5dbedb4560fe2f00eabe1ae8f0181428e
SHA14a4a0d8c64a6705238c95a19b223f4b4bf27f202
SHA25636f137cbbed5ca16f4aef1ef2bb7a6d5905776f5cc0aa61da81a7f7c0ed2728e
SHA5124c70169dc88c8fc47b646790d8602745da72993bbdcb5cc907655ecd8a09ebd264ef86abaf9259770cdfac2e2fdb03061645efc2bc244da249303b55d50e7996
-
Filesize
168KB
MD5c84141b109ea9992223229390fe4c2a5
SHA1976c4ada3637fcd9dc362a0925a8a313c6fe1ce6
SHA2561ab1185ae1b2c7b77724075acfb7cd634c8c2b30ce9ab5614f05834d35da55dc
SHA512f8b6a5490c050b2d39c4a255e3621e8d418c0dc981e9be2759300fc87285d31fd74228c955efd0d6dc617fbcabd51d6fcbd1a0354e6626bd644245686dea4a9e
-
Filesize
168KB
MD5c84141b109ea9992223229390fe4c2a5
SHA1976c4ada3637fcd9dc362a0925a8a313c6fe1ce6
SHA2561ab1185ae1b2c7b77724075acfb7cd634c8c2b30ce9ab5614f05834d35da55dc
SHA512f8b6a5490c050b2d39c4a255e3621e8d418c0dc981e9be2759300fc87285d31fd74228c955efd0d6dc617fbcabd51d6fcbd1a0354e6626bd644245686dea4a9e
-
Filesize
520KB
MD5976ed87be5638e0d7b8e319f18b14dfb
SHA118372861746d465839f5dd2ddd4caa80a8820333
SHA25676eb9745c43a04eccec860e68ec2fe471fca9ec6d67b13ef722f02c627bb40ee
SHA512a9af2b2f6ac291f4f6426a5fcefb669e6383396c06474235f3ee36d53aacdaf1fafdf3bcb8f55b968e275fabe4a190e762ba26ae4fbeb0b470efc5d403f7a4c7
-
Filesize
520KB
MD5976ed87be5638e0d7b8e319f18b14dfb
SHA118372861746d465839f5dd2ddd4caa80a8820333
SHA25676eb9745c43a04eccec860e68ec2fe471fca9ec6d67b13ef722f02c627bb40ee
SHA512a9af2b2f6ac291f4f6426a5fcefb669e6383396c06474235f3ee36d53aacdaf1fafdf3bcb8f55b968e275fabe4a190e762ba26ae4fbeb0b470efc5d403f7a4c7
-
Filesize
239KB
MD58933514113ef23af43a5875a350f7855
SHA1f5ee7b60122e9131e2e2aa8237f8ecdc90933d67
SHA256b6976b378a033a38e4df5f137041a055f4aca6739c3ff8cb207417018693d905
SHA51217ada4445d7901648427ac9489e1fbb7c69d768cb05c49d3fc2c6c958adbab66e211fb54ecef8a776ab216eb3b610be6825437df1fe924a5ecaeac07fb2c9f39
-
Filesize
239KB
MD58933514113ef23af43a5875a350f7855
SHA1f5ee7b60122e9131e2e2aa8237f8ecdc90933d67
SHA256b6976b378a033a38e4df5f137041a055f4aca6739c3ff8cb207417018693d905
SHA51217ada4445d7901648427ac9489e1fbb7c69d768cb05c49d3fc2c6c958adbab66e211fb54ecef8a776ab216eb3b610be6825437df1fe924a5ecaeac07fb2c9f39
-
Filesize
297KB
MD5af53c79a0d55d35389993b9f57f6e316
SHA195beb7c0fa6eb6867d3ed6a62034a954484d713f
SHA25624f20e9a8f75234a8bf5d09d55528d79e29d240a5515c3c4a14eab05654c0aa3
SHA51249057fc95790175c99746f67af2cf3973557a598ff1108fcd3a9193cb006ffd86fe136ffa2822620f46dcf89b8d6425732af8dcc12a9a2735e8554ec19fad20d
-
Filesize
297KB
MD5af53c79a0d55d35389993b9f57f6e316
SHA195beb7c0fa6eb6867d3ed6a62034a954484d713f
SHA25624f20e9a8f75234a8bf5d09d55528d79e29d240a5515c3c4a14eab05654c0aa3
SHA51249057fc95790175c99746f67af2cf3973557a598ff1108fcd3a9193cb006ffd86fe136ffa2822620f46dcf89b8d6425732af8dcc12a9a2735e8554ec19fad20d
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
680KB
-
Filesize
680KB
-
Filesize
96KB
-
Filesize
104KB
-
Filesize
5.0MB
-
Filesize
236KB
-
Filesize
192KB
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
300KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
280KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
64KB