Analysis
-
max time kernel
136s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06/05/2023, 20:52
General
-
Target
1fd4b3537627a39a758a564e2d205c3afa7907bc3c89ca35d7d4abe5d9f00e82.exe
-
Size
492KB
-
MD5
552a7a75b659a01b8c92b107e8e3853a
-
SHA1
03666d3c1852c099be8207823c929f3c39a44181
-
SHA256
1fd4b3537627a39a758a564e2d205c3afa7907bc3c89ca35d7d4abe5d9f00e82
-
SHA512
e70d81bd6262648c195e8c1dbd97157aa53eef8529bc67ba6633f6c56d7c085e975f06f28fa068d018398933231c2afb34d1db28305139a410b9e602344cb21b
-
SSDEEP
12288:JMrpy90xkEXAtqHEqzqzCovLz+JqQ5/CjXbUaEY:4yEkmAkkqozz+D/8EY
Malware Config
Extracted
redline
luna
217.196.96.101:4132
-
auth_value
3372be6f6fa192ff878fa6fe9be73f6e
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fd4b3537627a39a758a564e2d205c3afa7907bc3c89ca35d7d4abe5d9f00e82.exe"C:\Users\Admin\AppData\Local\Temp\1fd4b3537627a39a758a564e2d205c3afa7907bc3c89ca35d7d4abe5d9f00e82.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9251839.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9251839.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3722908.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3722908.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4776939.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4776939.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4461565.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4461565.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD549b840d2d9e164129166afb28f197723
SHA14cb704d4f2dd6fe9c572b2fd5371bd5f241a0d27
SHA256a9d49895ca836136e92de2a208351389f34aaf117b81e15d5c9698c37e418069
SHA512a69716196e483c0a9573b566c6250194bee1024198ed27318e0ac98b3e04f6f1f23b4cf03c908362da3fedc09d7a9c20fa41879bc9d0fb52a50aa7f5ba3cf228
-
Filesize
230KB
MD549b840d2d9e164129166afb28f197723
SHA14cb704d4f2dd6fe9c572b2fd5371bd5f241a0d27
SHA256a9d49895ca836136e92de2a208351389f34aaf117b81e15d5c9698c37e418069
SHA512a69716196e483c0a9573b566c6250194bee1024198ed27318e0ac98b3e04f6f1f23b4cf03c908362da3fedc09d7a9c20fa41879bc9d0fb52a50aa7f5ba3cf228
-
Filesize
230KB
MD549b840d2d9e164129166afb28f197723
SHA14cb704d4f2dd6fe9c572b2fd5371bd5f241a0d27
SHA256a9d49895ca836136e92de2a208351389f34aaf117b81e15d5c9698c37e418069
SHA512a69716196e483c0a9573b566c6250194bee1024198ed27318e0ac98b3e04f6f1f23b4cf03c908362da3fedc09d7a9c20fa41879bc9d0fb52a50aa7f5ba3cf228
-
Filesize
230KB
MD549b840d2d9e164129166afb28f197723
SHA14cb704d4f2dd6fe9c572b2fd5371bd5f241a0d27
SHA256a9d49895ca836136e92de2a208351389f34aaf117b81e15d5c9698c37e418069
SHA512a69716196e483c0a9573b566c6250194bee1024198ed27318e0ac98b3e04f6f1f23b4cf03c908362da3fedc09d7a9c20fa41879bc9d0fb52a50aa7f5ba3cf228
-
Filesize
230KB
MD549b840d2d9e164129166afb28f197723
SHA14cb704d4f2dd6fe9c572b2fd5371bd5f241a0d27
SHA256a9d49895ca836136e92de2a208351389f34aaf117b81e15d5c9698c37e418069
SHA512a69716196e483c0a9573b566c6250194bee1024198ed27318e0ac98b3e04f6f1f23b4cf03c908362da3fedc09d7a9c20fa41879bc9d0fb52a50aa7f5ba3cf228
-
Filesize
230KB
MD549b840d2d9e164129166afb28f197723
SHA14cb704d4f2dd6fe9c572b2fd5371bd5f241a0d27
SHA256a9d49895ca836136e92de2a208351389f34aaf117b81e15d5c9698c37e418069
SHA512a69716196e483c0a9573b566c6250194bee1024198ed27318e0ac98b3e04f6f1f23b4cf03c908362da3fedc09d7a9c20fa41879bc9d0fb52a50aa7f5ba3cf228
-
Filesize
230KB
MD549b840d2d9e164129166afb28f197723
SHA14cb704d4f2dd6fe9c572b2fd5371bd5f241a0d27
SHA256a9d49895ca836136e92de2a208351389f34aaf117b81e15d5c9698c37e418069
SHA512a69716196e483c0a9573b566c6250194bee1024198ed27318e0ac98b3e04f6f1f23b4cf03c908362da3fedc09d7a9c20fa41879bc9d0fb52a50aa7f5ba3cf228
-
Filesize
309KB
MD5053baa333bd6167be814d657e9bd80bd
SHA18a914481b642ff3c04928daa3af61c8a009a7f62
SHA256e2575e20503f3d9aded12fb540fdb907bf1ed8663d205f8438fe64cf7a4412d8
SHA512a0a1453edd20f82c3bd64a82b8f09752c377a2366cf17c1090367d29b9013596e49cf1b281706f3ad18bc116a0df7c2e42e601aa27cba835b306f3eef471dcdd
-
Filesize
309KB
MD5053baa333bd6167be814d657e9bd80bd
SHA18a914481b642ff3c04928daa3af61c8a009a7f62
SHA256e2575e20503f3d9aded12fb540fdb907bf1ed8663d205f8438fe64cf7a4412d8
SHA512a0a1453edd20f82c3bd64a82b8f09752c377a2366cf17c1090367d29b9013596e49cf1b281706f3ad18bc116a0df7c2e42e601aa27cba835b306f3eef471dcdd
-
Filesize
176KB
MD55e8818d114ca7b2547619035330690a0
SHA1d019b4490288215230d361a984f2c9c042b2aa4f
SHA256e0aecd6c701c4379d0d874f8decc050fb9dd9e0a4c7f3ec36069dc97bbfbcc4f
SHA51204efa292b9dc09d5784cb771e04aaf308d33409f6849913451da3b26b3d65210e94ccf7c26750ee0d267f09a7d861be68214011186e9b2a9d44fee5c3803a736
-
Filesize
176KB
MD55e8818d114ca7b2547619035330690a0
SHA1d019b4490288215230d361a984f2c9c042b2aa4f
SHA256e0aecd6c701c4379d0d874f8decc050fb9dd9e0a4c7f3ec36069dc97bbfbcc4f
SHA51204efa292b9dc09d5784cb771e04aaf308d33409f6849913451da3b26b3d65210e94ccf7c26750ee0d267f09a7d861be68214011186e9b2a9d44fee5c3803a736
-
Filesize
168KB
MD5db9c9d39878d2d06e57284ee8804c4cf
SHA1ea8e667e1db9a0d7056381a988927b6fc190ef6b
SHA256eec2ec473ae27f7f5c61d409eabf2912584723df2532683e171844b9f2edd2cd
SHA5125fc2cf67d832b0519671068e867d4762a04187d49b4d9e67fc89c54b412a9488b3d1ab7fff48d34d25fccefaab6022514e2bb6bf04e99299359671917728262e
-
Filesize
168KB
MD5db9c9d39878d2d06e57284ee8804c4cf
SHA1ea8e667e1db9a0d7056381a988927b6fc190ef6b
SHA256eec2ec473ae27f7f5c61d409eabf2912584723df2532683e171844b9f2edd2cd
SHA5125fc2cf67d832b0519671068e867d4762a04187d49b4d9e67fc89c54b412a9488b3d1ab7fff48d34d25fccefaab6022514e2bb6bf04e99299359671917728262e
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
192KB