Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 14:08

General

  • Target

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe

  • Size

    431KB

  • MD5

    4962575a2378d5c72e7a836ea766e2ad

  • SHA1

    549964178b12017622d3cbdda6dbfdef0904e7e2

  • SHA256

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

  • SHA512

    911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

  • SSDEEP

    12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb

Malware Config

Extracted

Family

amadey

Version

5.10

Botnet

0f3be6

C2

http://185.81.68.147

http://185.81.68.148

Attributes
  • install_dir

    ee29ea508b

  • install_file

    Gxtuum.exe

  • strings_key

    d3a5912ea69ad34a2387af70c8be9e21

  • url_paths

    /7vhfjke3/index.php

    /8Fvu5jh4DbS/index.php

rc4.plain

Extracted

Family

redline

Botnet

eewx

C2

185.81.68.147:1912

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Blocklisted process makes network request 12 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 36 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
    "C:\Users\Admin\AppData\Local\Temp\eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\692679935401_Desktop.zip' -CompressionLevel Optimal
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
      • C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe
        "C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
      • C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe
        "C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2328
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\692679935401_Desktop.zip' -CompressionLevel Optimal
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2656
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:884
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2932
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe

    Filesize

    300KB

    MD5

    7b6730ca4da283a35c41b831b9567f15

    SHA1

    92ef2fd33f713d72207209ec65f0de6eef395af5

    SHA256

    94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c

    SHA512

    ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace

  • C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe

    Filesize

    302KB

    MD5

    2682786590a361f965fb7e07170ebe2b

    SHA1

    57c2c049997bfebb5fae9d99745941e192e71df1

    SHA256

    50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d

    SHA512

    9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd

  • C:\Users\Admin\AppData\Local\Temp\692679935401

    Filesize

    76KB

    MD5

    277e3537804d6b11425d6630ff2dca51

    SHA1

    d3ec2ee9146c5cabcb03dddf6ccd3cffcc73a3d7

    SHA256

    857a8f5771dea9fc9c484d7711aa8289b5dfc817e2320b489ccbdfe765f3e1ad

    SHA512

    ef1072826ec95c35f6025a7eca63b7a3e4603b4fb9d10e34128aa3144c867fd845e21ef469b61a357bd8cccaa881b3ab572ca1bf5416fec031d56752fec3cac6

  • C:\Users\Admin\AppData\Local\Temp\_Files_\ConvertToPush.xlsx

    Filesize

    13KB

    MD5

    22ad5a662c0e4e050741369296c1d688

    SHA1

    3a0e2c207f4475a5be3d8a0fbdd301b515a6d4ab

    SHA256

    273d19b7c51feac97c30ccdc7453870c1896e3c0ab9b2785f6b2ab899c47ffea

    SHA512

    69dc87ebcabe9207a87bda20955b47ac2a2a4c9e6ae0bb1fdbb79c67ff8bfcd6a2f125336337f7d9a06e6b40f16d5dec5fd07895f7be643fc561c3b791765754

  • C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll

    Filesize

    124KB

    MD5

    c2f3fbbbe6d5f48a71b6b168b1485866

    SHA1

    1cd56cfc2dc07880b65bd8a1f5b7147633f5d553

    SHA256

    c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839

    SHA512

    e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a

  • C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll

    Filesize

    1.2MB

    MD5

    c6aabb27450f1a9939a417e86bf53217

    SHA1

    b8ef3bb7575139fd6997379415d7119e452b5fc4

    SHA256

    b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35

    SHA512

    e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    1218086e4af1d5728ae5fb7d1cc64297

    SHA1

    9e375ddc0987a1967526abf768d07e97b4d8f396

    SHA256

    adbdc8ec6a46184022b66a059071b8020111c9c14f6aa4d4b72a94cb1074e07a

    SHA512

    5a7c0808f98e393d516cc11f730271649687e980b0bac7991e5f38c3cf39762a9421937fa1cef98b75bdf11c401d2ee9b72627899f0d4e1544d4b07e1b1d16ce

  • \Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

    Filesize

    431KB

    MD5

    4962575a2378d5c72e7a836ea766e2ad

    SHA1

    549964178b12017622d3cbdda6dbfdef0904e7e2

    SHA256

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

    SHA512

    911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

  • memory/1584-63-0x0000000001E60000-0x0000000001E68000-memory.dmp

    Filesize

    32KB

  • memory/1584-62-0x000000001B140000-0x000000001B422000-memory.dmp

    Filesize

    2.9MB

  • memory/1644-110-0x000000001B360000-0x000000001B642000-memory.dmp

    Filesize

    2.9MB

  • memory/1644-111-0x0000000001E60000-0x0000000001E68000-memory.dmp

    Filesize

    32KB

  • memory/2388-1-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/3048-64-0x0000000000D00000-0x0000000000D52000-memory.dmp

    Filesize

    328KB