Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2023 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    033a0cebce2769d517af2d180ac078bdbe62289b8c612839701bf38a002accc8.exe

  • Size

    1.4MB

  • MD5

    958d8daf9b80bb15e829738670a676d2

  • SHA1

    5dd19f5db69c1d7645640f387be330fcd0f33fff

  • SHA256

    033a0cebce2769d517af2d180ac078bdbe62289b8c612839701bf38a002accc8

  • SHA512

    8382f2761450bdad366bc2c3ebf741c09a43b7a88f08f306b21e1dd16a3b9d4bd9d84bcf1b6d86f0a19780da0dfeca2e48469d983a137f468ccf114a70517c01

  • SSDEEP

    24576:xydrQKNXDpda4xU7E5KblM77C7zPXtp05wciukbDkCHXuZpps0BUMXpB1o5:kdrPFa4xUQ5KblM7OTtp3LbDkCHv0BlW

Score
10/10
amadeyredlinejanginfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

jang

C2

77.91.124.82:19071

Attributes
  • auth_value

    662102010afcbe9e22b13116b1c1a088

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\033a0cebce2769d517af2d180ac078bdbe62289b8c612839701bf38a002accc8.exe
    "C:\Users\Admin\AppData\Local\Temp\033a0cebce2769d517af2d180ac078bdbe62289b8c612839701bf38a002accc8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1112562.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1112562.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3673451.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3673451.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3712
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4428819.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4428819.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:392
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7658969.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7658969.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3452
            • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
              "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3688
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:3680
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3388
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:1244
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "saves.exe" /P "Admin:N"
                    8⤵
                      PID:3664
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "saves.exe" /P "Admin:R" /E
                      8⤵
                        PID:4048
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:4444
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\b40d11255d" /P "Admin:N"
                          8⤵
                            PID:2840
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\b40d11255d" /P "Admin:R" /E
                            8⤵
                              PID:2820
                          • C:\Windows\SysWOW64\rundll32.exe
                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                            7⤵
                            • Loads dropped DLL
                            PID:456
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1491486.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1491486.exe
                        5⤵
                        • Executes dropped EXE
                        PID:3408
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1311099.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1311099.exe
                      4⤵
                      • Executes dropped EXE
                      PID:4140
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k netsvcs -p
                1⤵
                • Checks processor information in registry
                • Enumerates system info in registry
                PID:4212
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1472
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1804

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1112562.exe
                Filesize

                1.3MB

                MD5

                1d15530452573e860465483972d5cfa2

                SHA1

                03d05a011a593f19c247cd388d57e71c38f9b7ac

                SHA256

                e80da9ea13a8fa283a91f15c011fa5708eeeff3b32d7a2dca006cd3532ad9698

                SHA512

                8965b29e0f7436979e8c193ef648872fccfa4404798ef48e62b03b247f44a83cf5c10cca9f4a91941e5c147e3ab95a538e8e84e2454575679a44fee9fcd0edeb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1112562.exe
                Filesize

                1.3MB

                MD5

                1d15530452573e860465483972d5cfa2

                SHA1

                03d05a011a593f19c247cd388d57e71c38f9b7ac

                SHA256

                e80da9ea13a8fa283a91f15c011fa5708eeeff3b32d7a2dca006cd3532ad9698

                SHA512

                8965b29e0f7436979e8c193ef648872fccfa4404798ef48e62b03b247f44a83cf5c10cca9f4a91941e5c147e3ab95a538e8e84e2454575679a44fee9fcd0edeb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3673451.exe
                Filesize

                475KB

                MD5

                a419ea17f0215a3cca0e7e4e43fc4549

                SHA1

                054cd7bc8d0f4f71d948a5ba1f8c9c3567349d53

                SHA256

                91146400d218c8b3938ba8b3079fc497e8f90737c69c2d31a54fbe06b1112770

                SHA512

                9ac80f52ce85dd445f92e30650b315abec54a8283070af49a665df117c9e9ba529e7fe4f02204803fc17f94d5a0964ffcfb75afc0e1c99df581261178704f8bd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3673451.exe
                Filesize

                475KB

                MD5

                a419ea17f0215a3cca0e7e4e43fc4549

                SHA1

                054cd7bc8d0f4f71d948a5ba1f8c9c3567349d53

                SHA256

                91146400d218c8b3938ba8b3079fc497e8f90737c69c2d31a54fbe06b1112770

                SHA512

                9ac80f52ce85dd445f92e30650b315abec54a8283070af49a665df117c9e9ba529e7fe4f02204803fc17f94d5a0964ffcfb75afc0e1c99df581261178704f8bd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1311099.exe
                Filesize

                174KB

                MD5

                f0f6a240d0153ade64fbbf0eb51d73b0

                SHA1

                40d9c25e7fdd5c069d3ca9775954ed87ebba995a

                SHA256

                3ebdc72767716100a540b02db70301617737bf3899818db78374ebff17b2fd1d

                SHA512

                c514f051ab7d2a51247a9dc6dabafa1ec388b0abaeb5b7403dec2bef031e454c3dfa0ed9e95f1a2250efd41e4ac26f2269aaa586420fe9fdd7c2a1c84ce5e2f3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1311099.exe
                Filesize

                174KB

                MD5

                f0f6a240d0153ade64fbbf0eb51d73b0

                SHA1

                40d9c25e7fdd5c069d3ca9775954ed87ebba995a

                SHA256

                3ebdc72767716100a540b02db70301617737bf3899818db78374ebff17b2fd1d

                SHA512

                c514f051ab7d2a51247a9dc6dabafa1ec388b0abaeb5b7403dec2bef031e454c3dfa0ed9e95f1a2250efd41e4ac26f2269aaa586420fe9fdd7c2a1c84ce5e2f3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4428819.exe
                Filesize

                319KB

                MD5

                47eb59ed0ffb5577c25765b6ec28cf65

                SHA1

                33ad3a21b164cb57fd636cc2b72fe5ebd51ded51

                SHA256

                8cc91b999f4e66b87eef48d9b65135288af453176a6d0faf28800d44c9a9f8d8

                SHA512

                cf56b3d1ad1f2c66264aeb70cb164d03783c27e0454a76770fd7bae8c06a3afe47a761268609290100e1452b22735371474db8244a6f177708b14edb95d4aeb0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4428819.exe
                Filesize

                319KB

                MD5

                47eb59ed0ffb5577c25765b6ec28cf65

                SHA1

                33ad3a21b164cb57fd636cc2b72fe5ebd51ded51

                SHA256

                8cc91b999f4e66b87eef48d9b65135288af453176a6d0faf28800d44c9a9f8d8

                SHA512

                cf56b3d1ad1f2c66264aeb70cb164d03783c27e0454a76770fd7bae8c06a3afe47a761268609290100e1452b22735371474db8244a6f177708b14edb95d4aeb0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7658969.exe
                Filesize

                329KB

                MD5

                0f1bd29a5aef56d47e28b4663bb19b96

                SHA1

                bbbb8074f4fdfb0b796bc9e55dbe8321a6868614

                SHA256

                b40f7e67edaf44a03c4b31f2264ee7569e4cecd572082acee2ac11e6a8f4621e

                SHA512

                479f595531937aaa09e4da62a9cf9a01e5e7016c055be728718e4dfb818614a3095d6574e4ef385227c5cd5547773479b353f772c27fc60d9186f0de19cc0078

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7658969.exe
                Filesize

                329KB

                MD5

                0f1bd29a5aef56d47e28b4663bb19b96

                SHA1

                bbbb8074f4fdfb0b796bc9e55dbe8321a6868614

                SHA256

                b40f7e67edaf44a03c4b31f2264ee7569e4cecd572082acee2ac11e6a8f4621e

                SHA512

                479f595531937aaa09e4da62a9cf9a01e5e7016c055be728718e4dfb818614a3095d6574e4ef385227c5cd5547773479b353f772c27fc60d9186f0de19cc0078

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1491486.exe
                Filesize

                140KB

                MD5

                160fe4ae6d3356ac2f83be230b4de9a0

                SHA1

                01d1ef82efc8634da9b4d9bee6ffc5b5a7a79e27

                SHA256

                217ca4839c99b6730171f803e10515a701840b5d1452a43f569ad67bab34833d

                SHA512

                91641717cd66999eda5cf750e3717746483f6f91498f7a880463d37ad6e791e5fb23704730f28b90e2b3cdb0af04f1ec39f6d2ab04864c4389e149ca9d64e2de

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1491486.exe
                Filesize

                140KB

                MD5

                160fe4ae6d3356ac2f83be230b4de9a0

                SHA1

                01d1ef82efc8634da9b4d9bee6ffc5b5a7a79e27

                SHA256

                217ca4839c99b6730171f803e10515a701840b5d1452a43f569ad67bab34833d

                SHA512

                91641717cd66999eda5cf750e3717746483f6f91498f7a880463d37ad6e791e5fb23704730f28b90e2b3cdb0af04f1ec39f6d2ab04864c4389e149ca9d64e2de

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                Filesize

                329KB

                MD5

                0f1bd29a5aef56d47e28b4663bb19b96

                SHA1

                bbbb8074f4fdfb0b796bc9e55dbe8321a6868614

                SHA256

                b40f7e67edaf44a03c4b31f2264ee7569e4cecd572082acee2ac11e6a8f4621e

                SHA512

                479f595531937aaa09e4da62a9cf9a01e5e7016c055be728718e4dfb818614a3095d6574e4ef385227c5cd5547773479b353f772c27fc60d9186f0de19cc0078

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                Filesize

                329KB

                MD5

                0f1bd29a5aef56d47e28b4663bb19b96

                SHA1

                bbbb8074f4fdfb0b796bc9e55dbe8321a6868614

                SHA256

                b40f7e67edaf44a03c4b31f2264ee7569e4cecd572082acee2ac11e6a8f4621e

                SHA512

                479f595531937aaa09e4da62a9cf9a01e5e7016c055be728718e4dfb818614a3095d6574e4ef385227c5cd5547773479b353f772c27fc60d9186f0de19cc0078

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                Filesize

                329KB

                MD5

                0f1bd29a5aef56d47e28b4663bb19b96

                SHA1

                bbbb8074f4fdfb0b796bc9e55dbe8321a6868614

                SHA256

                b40f7e67edaf44a03c4b31f2264ee7569e4cecd572082acee2ac11e6a8f4621e

                SHA512

                479f595531937aaa09e4da62a9cf9a01e5e7016c055be728718e4dfb818614a3095d6574e4ef385227c5cd5547773479b353f772c27fc60d9186f0de19cc0078

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                Filesize

                329KB

                MD5

                0f1bd29a5aef56d47e28b4663bb19b96

                SHA1

                bbbb8074f4fdfb0b796bc9e55dbe8321a6868614

                SHA256

                b40f7e67edaf44a03c4b31f2264ee7569e4cecd572082acee2ac11e6a8f4621e

                SHA512

                479f595531937aaa09e4da62a9cf9a01e5e7016c055be728718e4dfb818614a3095d6574e4ef385227c5cd5547773479b353f772c27fc60d9186f0de19cc0078

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                Filesize

                329KB

                MD5

                0f1bd29a5aef56d47e28b4663bb19b96

                SHA1

                bbbb8074f4fdfb0b796bc9e55dbe8321a6868614

                SHA256

                b40f7e67edaf44a03c4b31f2264ee7569e4cecd572082acee2ac11e6a8f4621e

                SHA512

                479f595531937aaa09e4da62a9cf9a01e5e7016c055be728718e4dfb818614a3095d6574e4ef385227c5cd5547773479b353f772c27fc60d9186f0de19cc0078

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                5bc0153d2973241b72a38c51a2f72116

                SHA1

                cd9c689663557452631d9f8ff609208b01884a32

                SHA256

                68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

                SHA512

                2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                5bc0153d2973241b72a38c51a2f72116

                SHA1

                cd9c689663557452631d9f8ff609208b01884a32

                SHA256

                68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

                SHA512

                2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                5bc0153d2973241b72a38c51a2f72116

                SHA1

                cd9c689663557452631d9f8ff609208b01884a32

                SHA256

                68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

                SHA512

                2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                Filesize

                273B

                MD5

                374bfdcfcf19f4edfe949022092848d2

                SHA1

                df5ee40497e98efcfba30012452d433373d287d4

                SHA256

                224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f

                SHA512

                bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7

                Download Submit

              • memory/4140-49-0x0000000072C60000-0x0000000073410000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4140-56-0x0000000072C60000-0x0000000073410000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4140-57-0x0000000004C00000-0x0000000004C10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4140-55-0x000000000A020000-0x000000000A05C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4140-54-0x0000000009FC0000-0x0000000009FD2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4140-53-0x0000000004C00000-0x0000000004C10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4140-52-0x000000000A0A0000-0x000000000A1AA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4140-51-0x000000000A5B0000-0x000000000ABC8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4140-50-0x0000000000210000-0x0000000000240000-memory.dmp

                Filesize

                192KB

                Download