Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 18:36
General
-
Target
8ae58bdf234e2ef7f52e9efe6c1ccaf9e67f2f6b9f3d2caca7593c7a74a409a7.exe
-
Size
695KB
-
MD5
06c28d0d1f1eb9ed5d7129d61bd0d6ea
-
SHA1
2aad0e9cf3e858c8a5cb97a88f5f0b687314cb5f
-
SHA256
8ae58bdf234e2ef7f52e9efe6c1ccaf9e67f2f6b9f3d2caca7593c7a74a409a7
-
SHA512
f3e1cd174d0d98b530b483b567ef981b08fda95a7711bc71b2fc58dd94579bf199f00717f2ef89ac00f98ef3bc38d72e3821cffa9f2bc6d2529474aa682daaa9
-
SSDEEP
12288:cMroy90LVyz7z9mwjhpXl6bcTPzlgO+ltXwIu1MXs27pVZRATvmHxYvnq8N5:cyYE7Bp/uULlD+l9wnMXh7lmvm+nq8N5
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae58bdf234e2ef7f52e9efe6c1ccaf9e67f2f6b9f3d2caca7593c7a74a409a7.exe"C:\Users\Admin\AppData\Local\Temp\8ae58bdf234e2ef7f52e9efe6c1ccaf9e67f2f6b9f3d2caca7593c7a74a409a7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5757110.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5757110.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4565662.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4565662.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6893779.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6893779.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0028631.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0028631.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4637554.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4637554.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8611765.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8611765.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5db1b73f7b1106c2defa71b7348d975b0
SHA1510f575193c1c8f66fdae7f9f00791af65eee5ed
SHA256815001373011a4ec4ed63b33750850f475352c0dc67daf7441486533d4a7ae85
SHA51269d661f31dc2505eb9441c043f4185fa857e127125f5c2d15f054b9fac19b097cc5372a9958bf2ab864b18fcf42416165b7ca892341162dce891add62b3cc40e
-
Filesize
229KB
MD5db1b73f7b1106c2defa71b7348d975b0
SHA1510f575193c1c8f66fdae7f9f00791af65eee5ed
SHA256815001373011a4ec4ed63b33750850f475352c0dc67daf7441486533d4a7ae85
SHA51269d661f31dc2505eb9441c043f4185fa857e127125f5c2d15f054b9fac19b097cc5372a9958bf2ab864b18fcf42416165b7ca892341162dce891add62b3cc40e
-
Filesize
229KB
MD5db1b73f7b1106c2defa71b7348d975b0
SHA1510f575193c1c8f66fdae7f9f00791af65eee5ed
SHA256815001373011a4ec4ed63b33750850f475352c0dc67daf7441486533d4a7ae85
SHA51269d661f31dc2505eb9441c043f4185fa857e127125f5c2d15f054b9fac19b097cc5372a9958bf2ab864b18fcf42416165b7ca892341162dce891add62b3cc40e
-
Filesize
229KB
MD5db1b73f7b1106c2defa71b7348d975b0
SHA1510f575193c1c8f66fdae7f9f00791af65eee5ed
SHA256815001373011a4ec4ed63b33750850f475352c0dc67daf7441486533d4a7ae85
SHA51269d661f31dc2505eb9441c043f4185fa857e127125f5c2d15f054b9fac19b097cc5372a9958bf2ab864b18fcf42416165b7ca892341162dce891add62b3cc40e
-
Filesize
229KB
MD5db1b73f7b1106c2defa71b7348d975b0
SHA1510f575193c1c8f66fdae7f9f00791af65eee5ed
SHA256815001373011a4ec4ed63b33750850f475352c0dc67daf7441486533d4a7ae85
SHA51269d661f31dc2505eb9441c043f4185fa857e127125f5c2d15f054b9fac19b097cc5372a9958bf2ab864b18fcf42416165b7ca892341162dce891add62b3cc40e
-
Filesize
229KB
MD5db1b73f7b1106c2defa71b7348d975b0
SHA1510f575193c1c8f66fdae7f9f00791af65eee5ed
SHA256815001373011a4ec4ed63b33750850f475352c0dc67daf7441486533d4a7ae85
SHA51269d661f31dc2505eb9441c043f4185fa857e127125f5c2d15f054b9fac19b097cc5372a9958bf2ab864b18fcf42416165b7ca892341162dce891add62b3cc40e
-
Filesize
229KB
MD5db1b73f7b1106c2defa71b7348d975b0
SHA1510f575193c1c8f66fdae7f9f00791af65eee5ed
SHA256815001373011a4ec4ed63b33750850f475352c0dc67daf7441486533d4a7ae85
SHA51269d661f31dc2505eb9441c043f4185fa857e127125f5c2d15f054b9fac19b097cc5372a9958bf2ab864b18fcf42416165b7ca892341162dce891add62b3cc40e
-
Filesize
512KB
MD50930dca519b78d413b37c76adf2a1b26
SHA172696b8f9b4d5f702224f4a14dc956569a8e19b8
SHA256fb79005e2077262f50b14b2bb0bd1871ea038077ce2d82a92cd31a0a5a0e9e4b
SHA512ce563d908731a9276782fdd6b8a51c44f0cfa662b7be85e6cddcfc65ad0b7762360099106a1cf0e38c873ee0bf1d0b8a32752182d3ae95df91f0e39726236a9d
-
Filesize
512KB
MD50930dca519b78d413b37c76adf2a1b26
SHA172696b8f9b4d5f702224f4a14dc956569a8e19b8
SHA256fb79005e2077262f50b14b2bb0bd1871ea038077ce2d82a92cd31a0a5a0e9e4b
SHA512ce563d908731a9276782fdd6b8a51c44f0cfa662b7be85e6cddcfc65ad0b7762360099106a1cf0e38c873ee0bf1d0b8a32752182d3ae95df91f0e39726236a9d
-
Filesize
176KB
MD5abe4d422198d56cc1a3faef1e8b52648
SHA149513d4d9ce77bb4065a01e1d7bdadfc2149d1a3
SHA2564030b99b837c1a3e8497c81e6f95e14aec4d0d5ca1e576bbeac8db6bee8919ae
SHA512a7bb5e72d3574b28c083d5db6e971b5fff756df15658bb6f13a627aea4f3ef2b4f80e1a934b4fe7ad8a0b4138f745a7436b32077e1999f23705fc7743da9dcfb
-
Filesize
176KB
MD5abe4d422198d56cc1a3faef1e8b52648
SHA149513d4d9ce77bb4065a01e1d7bdadfc2149d1a3
SHA2564030b99b837c1a3e8497c81e6f95e14aec4d0d5ca1e576bbeac8db6bee8919ae
SHA512a7bb5e72d3574b28c083d5db6e971b5fff756df15658bb6f13a627aea4f3ef2b4f80e1a934b4fe7ad8a0b4138f745a7436b32077e1999f23705fc7743da9dcfb
-
Filesize
308KB
MD5798ee0677affde2da3e8a07904b033c6
SHA184a6f0074f128dba214b1d583ee8ea8aa271b5df
SHA256239907d88ae2ad8487e7487ac3ea72acb37b733d334f8ff1147cebf3032ce85c
SHA5125f1b0d04380cf52cbfd3ad30fd807b7d13afb98c2b82dee9637bd2134143bd20eb49372e623ec0a32584a83264cfa2b3f62ebc20fbe8d7604eb83c71b767994d
-
Filesize
308KB
MD5798ee0677affde2da3e8a07904b033c6
SHA184a6f0074f128dba214b1d583ee8ea8aa271b5df
SHA256239907d88ae2ad8487e7487ac3ea72acb37b733d334f8ff1147cebf3032ce85c
SHA5125f1b0d04380cf52cbfd3ad30fd807b7d13afb98c2b82dee9637bd2134143bd20eb49372e623ec0a32584a83264cfa2b3f62ebc20fbe8d7604eb83c71b767994d
-
Filesize
176KB
MD5771b525b9f3e5e577ca08b508fe2672c
SHA193a005688050f2ff76072721b3c9751d9ddd1a76
SHA256f4686a44b1bc31c62aad6f6bcfe049e93bc008626e6d660f89e539392a5c0c5f
SHA5123c68e1cecb121f00ce649f52aa5acc6803de7b3055a21ad8a39f2850b0a6f71b891ba6f212f9741e9bf7fd051bbc92bc183ec10fcee5f63d3f0beaed40faf2eb
-
Filesize
176KB
MD5771b525b9f3e5e577ca08b508fe2672c
SHA193a005688050f2ff76072721b3c9751d9ddd1a76
SHA256f4686a44b1bc31c62aad6f6bcfe049e93bc008626e6d660f89e539392a5c0c5f
SHA5123c68e1cecb121f00ce649f52aa5acc6803de7b3055a21ad8a39f2850b0a6f71b891ba6f212f9741e9bf7fd051bbc92bc183ec10fcee5f63d3f0beaed40faf2eb
-
Filesize
176KB
MD5771b525b9f3e5e577ca08b508fe2672c
SHA193a005688050f2ff76072721b3c9751d9ddd1a76
SHA256f4686a44b1bc31c62aad6f6bcfe049e93bc008626e6d660f89e539392a5c0c5f
SHA5123c68e1cecb121f00ce649f52aa5acc6803de7b3055a21ad8a39f2850b0a6f71b891ba6f212f9741e9bf7fd051bbc92bc183ec10fcee5f63d3f0beaed40faf2eb
-
Filesize
136KB
MD5f59f5dc8ebdc4beef9807f9ffac7cd2e
SHA1303b42f8bdfe3a69f2c1db928d9e69f4004804dd
SHA2564c2136bec63488b3817ab51686bf9277b4d4dcdab1cd57e07df5e094d28f45aa
SHA5128fd351b7dc434234f5715843e13102d38a14d1669c013792dccaf1c55b4d59fa75a7acddf694025976652805964b919329fc7d7a7e755917f6fd9faa0cdfb443
-
Filesize
136KB
MD5f59f5dc8ebdc4beef9807f9ffac7cd2e
SHA1303b42f8bdfe3a69f2c1db928d9e69f4004804dd
SHA2564c2136bec63488b3817ab51686bf9277b4d4dcdab1cd57e07df5e094d28f45aa
SHA5128fd351b7dc434234f5715843e13102d38a14d1669c013792dccaf1c55b4d59fa75a7acddf694025976652805964b919329fc7d7a7e755917f6fd9faa0cdfb443
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
160KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB