Overview

overview

10

Static

static

3

NEAS.f8e00...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    254s
  • max time network
    264s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2023 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.f8e00910e372ba8defb8553c09fb6270.exe

  • Size

    1.8MB

  • MD5

    f8e00910e372ba8defb8553c09fb6270

  • SHA1

    b079db4331232b3e7675923bc6c7fa77b45e2556

  • SHA256

    ca39072e59aee74b906c90547c46516e0cb7bf5af21d192a0884c55928563045

  • SHA512

    f47083eaeeca562b468446f4b2beb669ba80d9e8fd22d5c92e3e71f27d4396977e10af12522fafeb202408701d4d9c7e98e3a1b780f7325f50deea1b95abb792

  • SSDEEP

    49152:KpOUExJ5pvEK376Vx9LCIulmMDJ+2G4m:bLX5pcK+Vx9S+T4m

Score
10/10
amadeyredlinesmokeloaderplostbackdoorevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f8e00910e372ba8defb8553c09fb6270.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f8e00910e372ba8defb8553c09fb6270.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pH2zR09.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pH2zR09.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pk9en32.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pk9en32.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YE4ln76.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YE4ln76.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QF4LF85.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QF4LF85.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3272
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UB8JU31.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UB8JU31.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:3692
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ut38rs2.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ut38rs2.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:4164
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                  • Modifies Windows Defender Real-time Protection settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3880
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yA3008.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yA3008.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3964
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2540
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 540
                    9⤵
                    • Program crash
                    PID:3656
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 540
                    9⤵
                    • Program crash
                    PID:548
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Sr54Md.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Sr54Md.exe
              6⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:3352
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4tV725Zf.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4tV725Zf.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:1704
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                  PID:2380
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dv6xI8.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dv6xI8.exe
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              PID:4936
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2540 -ip 2540
        1⤵
          PID:3696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pH2zR09.exe
          Filesize

          1.7MB

          MD5

          b8de4d6a32bc08c1c24edb9e628c2382

          SHA1

          bf81478938a8b492ea23c81db6dafaa48ea54298

          SHA256

          bc3b4a5e115618e3c40b6e46235e6afd3b3e2100f7abc6aa2ac50d169c821c85

          SHA512

          eb6eaa89b42319a18aa36473c1128a10efa0ae288952d9c4718c454024bfe5137ffdf267e5b8f269232d408bfba65b37828800a30e14046a65ef17d93b3664ef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pH2zR09.exe
          Filesize

          1.7MB

          MD5

          b8de4d6a32bc08c1c24edb9e628c2382

          SHA1

          bf81478938a8b492ea23c81db6dafaa48ea54298

          SHA256

          bc3b4a5e115618e3c40b6e46235e6afd3b3e2100f7abc6aa2ac50d169c821c85

          SHA512

          eb6eaa89b42319a18aa36473c1128a10efa0ae288952d9c4718c454024bfe5137ffdf267e5b8f269232d408bfba65b37828800a30e14046a65ef17d93b3664ef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pk9en32.exe
          Filesize

          1.5MB

          MD5

          c5d13a446e4cda57f526334e4cdcc8b4

          SHA1

          f15c68e6aebacea238098f8551fb37c2eda9c82e

          SHA256

          f1473ef23fe8df190a58ea612856de9236682596e52e7f6ef536e5b3b0590411

          SHA512

          3d37d7dec3674e0763744a63ca534e0c4cdc1ddbbeae5d447261844099cba62a1a2ce44eee7a17f0ca213f9efb8f72fc7516946b172a294c81eb57fbb7f412b4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pk9en32.exe
          Filesize

          1.5MB

          MD5

          c5d13a446e4cda57f526334e4cdcc8b4

          SHA1

          f15c68e6aebacea238098f8551fb37c2eda9c82e

          SHA256

          f1473ef23fe8df190a58ea612856de9236682596e52e7f6ef536e5b3b0590411

          SHA512

          3d37d7dec3674e0763744a63ca534e0c4cdc1ddbbeae5d447261844099cba62a1a2ce44eee7a17f0ca213f9efb8f72fc7516946b172a294c81eb57fbb7f412b4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dv6xI8.exe
          Filesize

          222KB

          MD5

          fc86daf8bfec4dfc0c210dc263ca31d1

          SHA1

          6ce9a160a24d6b6851a9fafea1b20132356748e7

          SHA256

          883b355aa87b6024ef6ca1a5d506b0d7b1562c6d0ea85e552885d6d49d9a5b62

          SHA512

          a6dc11d6a2e22c01d0deec80041cb9b15bd4512a463145a9b14d6ea2d0afbc8d5c4dcd41890517093984aea6a1d5f7d2b0effe8259e7d7ba6b40a57817f2e246

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dv6xI8.exe
          Filesize

          222KB

          MD5

          fc86daf8bfec4dfc0c210dc263ca31d1

          SHA1

          6ce9a160a24d6b6851a9fafea1b20132356748e7

          SHA256

          883b355aa87b6024ef6ca1a5d506b0d7b1562c6d0ea85e552885d6d49d9a5b62

          SHA512

          a6dc11d6a2e22c01d0deec80041cb9b15bd4512a463145a9b14d6ea2d0afbc8d5c4dcd41890517093984aea6a1d5f7d2b0effe8259e7d7ba6b40a57817f2e246

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YE4ln76.exe
          Filesize

          1.3MB

          MD5

          19f56d5b8915b3a427baf62d073f2170

          SHA1

          374f3e578029042165a1d6a5a72943cc77facc1c

          SHA256

          95bca0d2c9cfe11effad203f079db281ebb687d59dcc2428de63b6bb2bd3916f

          SHA512

          8ef951e8a387d59b2c6f3a89c3f33b432ee2135e18fdba09de03ec599555d940dbb5c9d079d1bc9446500f4ee87636d853e5d01a6df7564e5da00e05b051e98a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YE4ln76.exe
          Filesize

          1.3MB

          MD5

          19f56d5b8915b3a427baf62d073f2170

          SHA1

          374f3e578029042165a1d6a5a72943cc77facc1c

          SHA256

          95bca0d2c9cfe11effad203f079db281ebb687d59dcc2428de63b6bb2bd3916f

          SHA512

          8ef951e8a387d59b2c6f3a89c3f33b432ee2135e18fdba09de03ec599555d940dbb5c9d079d1bc9446500f4ee87636d853e5d01a6df7564e5da00e05b051e98a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4tV725Zf.exe
          Filesize

          1.9MB

          MD5

          de648ccfd9ac45afffbc905aa12eda30

          SHA1

          8c8b7d90b3832b02809835c9b744bc04f609e2c4

          SHA256

          2a63b009c027afcd082ef16157f1080c94b125dbebb2c60b585c04eb85ee1074

          SHA512

          0e8df676bbddbcfbe7daabf769ca80220ff98a33e3c8ee9214ee2c7f8b3d631ba90fca8033a0cbc22b21e4bd558c49eab9496c31eb0c796b3621bc9112895ac7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4tV725Zf.exe
          Filesize

          1.9MB

          MD5

          de648ccfd9ac45afffbc905aa12eda30

          SHA1

          8c8b7d90b3832b02809835c9b744bc04f609e2c4

          SHA256

          2a63b009c027afcd082ef16157f1080c94b125dbebb2c60b585c04eb85ee1074

          SHA512

          0e8df676bbddbcfbe7daabf769ca80220ff98a33e3c8ee9214ee2c7f8b3d631ba90fca8033a0cbc22b21e4bd558c49eab9496c31eb0c796b3621bc9112895ac7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QF4LF85.exe
          Filesize

          782KB

          MD5

          72b545b3c2bc87f3b7982796019efa8f

          SHA1

          5451e77df3d9a96370934be67a379be61f3c604e

          SHA256

          77eee4fda1f140363e938a339ff39ff118ebbc922d1f67c28bdd8ac7e006b547

          SHA512

          56d13b0ddc66720b662c94330e7a53e87d0989bb159fbdeb804a3626f9551c02f9ec9838fece8f4f26dd4c6b5108f0faee105e31156c5adf8be6efede47de0c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QF4LF85.exe
          Filesize

          782KB

          MD5

          72b545b3c2bc87f3b7982796019efa8f

          SHA1

          5451e77df3d9a96370934be67a379be61f3c604e

          SHA256

          77eee4fda1f140363e938a339ff39ff118ebbc922d1f67c28bdd8ac7e006b547

          SHA512

          56d13b0ddc66720b662c94330e7a53e87d0989bb159fbdeb804a3626f9551c02f9ec9838fece8f4f26dd4c6b5108f0faee105e31156c5adf8be6efede47de0c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Sr54Md.exe
          Filesize

          31KB

          MD5

          b350a29606905b8faeb3c562822be881

          SHA1

          ac61485343953e46fa0bd556ae740c58c47f67e0

          SHA256

          a965cfb5c23d232204462ae14f2f38dca50c7c2a2353eee7a0604b32aaf056aa

          SHA512

          9c5438a023afb0e2321ab4251c39a79853664d45cc1c6455854c3971a083bb44d1f9921393dce703eb8aeccc265ea242d7abd7f92a1ff8881961ddca2d39e1d0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Sr54Md.exe
          Filesize

          31KB

          MD5

          b350a29606905b8faeb3c562822be881

          SHA1

          ac61485343953e46fa0bd556ae740c58c47f67e0

          SHA256

          a965cfb5c23d232204462ae14f2f38dca50c7c2a2353eee7a0604b32aaf056aa

          SHA512

          9c5438a023afb0e2321ab4251c39a79853664d45cc1c6455854c3971a083bb44d1f9921393dce703eb8aeccc265ea242d7abd7f92a1ff8881961ddca2d39e1d0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UB8JU31.exe
          Filesize

          658KB

          MD5

          ba848c64aa3f6d21eb1d501d96aab5f6

          SHA1

          6a7b8780fce7dd19406add05c990a52bc4fb263a

          SHA256

          6c7adde4f891882f44a7c018b580a404080cc3d53271174aa69960374b2d3cc6

          SHA512

          12f36c1ae0893fb6f7220717122e289d663081626461b667968f0a57b3c1e7ed3bc6e3234db596d0f679488c9caf64106a46a32e8dc8097524c5a6101c8255a7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UB8JU31.exe
          Filesize

          658KB

          MD5

          ba848c64aa3f6d21eb1d501d96aab5f6

          SHA1

          6a7b8780fce7dd19406add05c990a52bc4fb263a

          SHA256

          6c7adde4f891882f44a7c018b580a404080cc3d53271174aa69960374b2d3cc6

          SHA512

          12f36c1ae0893fb6f7220717122e289d663081626461b667968f0a57b3c1e7ed3bc6e3234db596d0f679488c9caf64106a46a32e8dc8097524c5a6101c8255a7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ut38rs2.exe
          Filesize

          1.6MB

          MD5

          ab311e7d52f0b132e43b9808e615e27b

          SHA1

          248613e13b889b56691a08d464247de1c8c4dd5a

          SHA256

          1b92965c7c33e3d5853c91e93b08d0a0c7c5812c5926aa93b9bae9217a5c7639

          SHA512

          963d4ac3d0d659ac66e769fc2e67b72a434644db08184bdd917410a4fac679f002a391acf83c22abc0e94f76a4a4fba137a6827f61f9d44000f21c588a27b723

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ut38rs2.exe
          Filesize

          1.6MB

          MD5

          ab311e7d52f0b132e43b9808e615e27b

          SHA1

          248613e13b889b56691a08d464247de1c8c4dd5a

          SHA256

          1b92965c7c33e3d5853c91e93b08d0a0c7c5812c5926aa93b9bae9217a5c7639

          SHA512

          963d4ac3d0d659ac66e769fc2e67b72a434644db08184bdd917410a4fac679f002a391acf83c22abc0e94f76a4a4fba137a6827f61f9d44000f21c588a27b723

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yA3008.exe
          Filesize

          1.8MB

          MD5

          666c4b3b31788b40989902e01761e309

          SHA1

          df30434d01ec37d327c6bcba9877c6e9580edf99

          SHA256

          c7a23b77a10c92ec713729ec384fd4a0a162719f4c45775851df3380a16e0db1

          SHA512

          b3104660652e1d663309105c208c2c73ce365b44cba6576b6337d1724147ce9b58bb849b9b061a833354ef561c4a2d5341366a42512e419951c28e5772586519

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yA3008.exe
          Filesize

          1.8MB

          MD5

          666c4b3b31788b40989902e01761e309

          SHA1

          df30434d01ec37d327c6bcba9877c6e9580edf99

          SHA256

          c7a23b77a10c92ec713729ec384fd4a0a162719f4c45775851df3380a16e0db1

          SHA512

          b3104660652e1d663309105c208c2c73ce365b44cba6576b6337d1724147ce9b58bb849b9b061a833354ef561c4a2d5341366a42512e419951c28e5772586519

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
          Filesize

          222KB

          MD5

          fc86daf8bfec4dfc0c210dc263ca31d1

          SHA1

          6ce9a160a24d6b6851a9fafea1b20132356748e7

          SHA256

          883b355aa87b6024ef6ca1a5d506b0d7b1562c6d0ea85e552885d6d49d9a5b62

          SHA512

          a6dc11d6a2e22c01d0deec80041cb9b15bd4512a463145a9b14d6ea2d0afbc8d5c4dcd41890517093984aea6a1d5f7d2b0effe8259e7d7ba6b40a57817f2e246

          Download Submit

        • memory/2380-73-0x0000000007E40000-0x00000000083E4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2380-77-0x0000000007960000-0x000000000796A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2380-74-0x0000000007990000-0x0000000007A22000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2380-76-0x0000000007AF0000-0x0000000007B00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-75-0x00000000748D0000-0x0000000075080000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2380-82-0x0000000007AF0000-0x0000000007B00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-65-0x00000000748D0000-0x0000000075080000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2380-64-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2540-51-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2540-47-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2540-49-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2540-48-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/3352-58-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3352-55-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3368-57-0x0000000002470000-0x0000000002486000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3880-46-0x00000000748D0000-0x0000000075080000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3880-72-0x00000000748D0000-0x0000000075080000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3880-42-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3880-52-0x00000000748D0000-0x0000000075080000-memory.dmp

          Filesize

          7.7MB

          Download