amadey | 2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3

General

Target

2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe
Size

777KB
MD5

47f9d8570bbbfd172ee66015af682251
SHA1

2040636052aed433a453ef4c0a1a6a16186e7c90
SHA256

2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3
SHA512

e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c
SSDEEP

12288:mvCgSiISROTL9SKNqLNXbCFCoekOWUsIOiizzMRK34+NBR:mKViMTLAXhqbYlizz0K3x

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.134.65/o7VsjdSa2f/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

94 5004 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

gntuud.exegntuud.exegntuud.exe

pid process

3376 gntuud.exe
4824 gntuud.exe
2376 gntuud.exe

flow	pid	process
94	5004	rundll32.exe

pid	process
3376	gntuud.exe
4824	gntuud.exe
2376	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5004 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5004	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

5004 rundll32.exe
5004 rundll32.exe
5004 rundll32.exe
5004 rundll32.exe

pid	process
3964	schtasks.exe

pid	process
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exegntuud.exe

description	pid	process	target process
PID 2432 wrote to memory of 3376	2432	2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe	gntuud.exe
PID 2432 wrote to memory of 3376	2432	2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe	gntuud.exe
PID 2432 wrote to memory of 3376	2432	2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe	gntuud.exe
PID 3376 wrote to memory of 3964	3376	gntuud.exe	schtasks.exe
PID 3376 wrote to memory of 3964	3376	gntuud.exe	schtasks.exe
PID 3376 wrote to memory of 3964	3376	gntuud.exe	schtasks.exe
PID 3376 wrote to memory of 5004	3376	gntuud.exe	rundll32.exe
PID 3376 wrote to memory of 5004	3376	gntuud.exe	rundll32.exe
PID 3376 wrote to memory of 5004	3376	gntuud.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe
"C:\Users\Admin\AppData\Local\Temp\2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:3964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:5004

C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
1⤵
- Executes dropped EXE
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
Filesize
777KB

MD5
47f9d8570bbbfd172ee66015af682251

SHA1
2040636052aed433a453ef4c0a1a6a16186e7c90

SHA256
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3

SHA512
e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
Filesize
777KB

MD5
47f9d8570bbbfd172ee66015af682251

SHA1
2040636052aed433a453ef4c0a1a6a16186e7c90

SHA256
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3

SHA512
e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
Filesize
777KB

MD5
47f9d8570bbbfd172ee66015af682251

SHA1
2040636052aed433a453ef4c0a1a6a16186e7c90

SHA256
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3

SHA512
e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
Filesize
777KB

MD5
47f9d8570bbbfd172ee66015af682251

SHA1
2040636052aed433a453ef4c0a1a6a16186e7c90

SHA256
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3

SHA512
e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c

Download Submit
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll
Filesize
126KB

MD5
f6d14701e7c568254151e153f7763672

SHA1
4501ffb7284f29cca51b06deba0262b8d33f93f6

SHA256
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d

SHA512
62c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2

Download Submit
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll
Filesize
126KB

MD5
f6d14701e7c568254151e153f7763672

SHA1
4501ffb7284f29cca51b06deba0262b8d33f93f6

SHA256
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d

SHA512
62c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2

Download Submit
memory/2376-146-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2432-135-0x00000000028B0000-0x000000000290C000-memory.dmp

Filesize
368KB

Download
memory/2432-136-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3376-139-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3376-137-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3376-132-0x0000000000000000-mapping.dmp

Download
memory/3964-138-0x0000000000000000-mapping.dmp

Download
memory/4824-144-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5004-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads