amadey | 8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e

Analysis

max time kernel
172s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe
Size

237KB
MD5

0460990761ea0b12df9d8133fb116bd7
SHA1

16d234e218b4d7963e94d5a8c1b6b273fc538f19
SHA256

8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e
SHA512

0aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32
SSDEEP

3072:rEW2zikDTjDqowd5u/NGVQUYocEKc0YTdfPOB4aHHQG70W8BVvFCEu:UDTjDR5Ub1Rm4IB7cBVNCE

Score

10^/10

amadey laplas collection persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

31.41.244.17/hfk3vK9/index.php

Extracted

Family

laplas

clipper.guru

Attributes

api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
behavioral1/memory/1172-174-0x00000000003B0000-0x00000000003D4000-memory.dmp	amadey_cred_module
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

73 1172 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

gntuud.exelinda5.exegntuud.exeanon.exegala.exe

pid process

4988 gntuud.exe
4744 linda5.exe
2204 gntuud.exe
3112 anon.exe
2496 gala.exe

flow	pid	process
73	1172	rundll32.exe

pid	process
4988	gntuud.exe
4744	linda5.exe
2204	gntuud.exe
3112	anon.exe
2496	gala.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exegntuud.exelinda5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	linda5.exe

Loads dropped DLL 3 IoCs

Processes:

msiexec.exerundll32.exe

pid process

628 msiexec.exe
1172 rundll32.exe
1172 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
628	msiexec.exe
1172	rundll32.exe
1172	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003001\\linda5.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anon.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\anon.exe"	gntuud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4992	220	WerFault.exe	8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe
1508	2204	WerFault.exe	gntuud.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1736 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1172 rundll32.exe
1172 rundll32.exe
1172 rundll32.exe
1172 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

anon.exe

description pid process

Token: SeDebugPrivilege 3112 anon.exe

pid	process
1736	schtasks.exe

pid	process
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3112	anon.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exegntuud.exelinda5.exe

description	pid	process	target process
PID 220 wrote to memory of 4988	220	8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe	gntuud.exe
PID 220 wrote to memory of 4988	220	8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe	gntuud.exe
PID 220 wrote to memory of 4988	220	8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe	gntuud.exe
PID 4988 wrote to memory of 1736	4988	gntuud.exe	schtasks.exe
PID 4988 wrote to memory of 1736	4988	gntuud.exe	schtasks.exe
PID 4988 wrote to memory of 1736	4988	gntuud.exe	schtasks.exe
PID 4988 wrote to memory of 4744	4988	gntuud.exe	linda5.exe
PID 4988 wrote to memory of 4744	4988	gntuud.exe	linda5.exe
PID 4988 wrote to memory of 4744	4988	gntuud.exe	linda5.exe
PID 4744 wrote to memory of 628	4744	linda5.exe	msiexec.exe
PID 4744 wrote to memory of 628	4744	linda5.exe	msiexec.exe
PID 4744 wrote to memory of 628	4744	linda5.exe	msiexec.exe
PID 4988 wrote to memory of 3112	4988	gntuud.exe	anon.exe
PID 4988 wrote to memory of 3112	4988	gntuud.exe	anon.exe
PID 4988 wrote to memory of 3112	4988	gntuud.exe	anon.exe
PID 4988 wrote to memory of 2496	4988	gntuud.exe	gala.exe
PID 4988 wrote to memory of 2496	4988	gntuud.exe	gala.exe
PID 4988 wrote to memory of 2496	4988	gntuud.exe	gala.exe
PID 4988 wrote to memory of 1172	4988	gntuud.exe	rundll32.exe
PID 4988 wrote to memory of 1172	4988	gntuud.exe	rundll32.exe
PID 4988 wrote to memory of 1172	4988	gntuud.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe
"C:\Users\Admin\AppData\Local\Temp\8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:1736

C:\Users\Admin\AppData\Local\Temp\1000003001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\linda5.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\v9LqYzU.ErU
4⤵
- Loads dropped DLL
PID:628

C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Users\Admin\AppData\Local\Temp\1000004001\gala.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\gala.exe"
3⤵
- Executes dropped EXE
PID:2496

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1268
2⤵
- Program crash
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 220 -ip 220
1⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 416
2⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2204 -ip 2204
1⤵
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000003001\linda5.exe
Filesize
1.5MB

MD5
562e87edfeb432072d23de64daf26acf

SHA1
2916ae2a49851459c82ae95e656c49d16688eac1

SHA256
b0fef5290f1a17feba7db3c5abff05207ac838b40380461c2c84eefe6ba1a70d

SHA512
e9ac55ec0654db57984bddaa0d72cf17bc506e788dfee71f4b11c77e1d56135c946d1cbf201c0de4c2ae070ba87172ed4caa914a7be7cbc07279c729bd038d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\linda5.exe
Filesize
1.5MB

MD5
562e87edfeb432072d23de64daf26acf

SHA1
2916ae2a49851459c82ae95e656c49d16688eac1

SHA256
b0fef5290f1a17feba7db3c5abff05207ac838b40380461c2c84eefe6ba1a70d

SHA512
e9ac55ec0654db57984bddaa0d72cf17bc506e788dfee71f4b11c77e1d56135c946d1cbf201c0de4c2ae070ba87172ed4caa914a7be7cbc07279c729bd038d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\gala.exe
Filesize
4.6MB

MD5
f6829a19455a7b24a79e0b984d2a42d9

SHA1
c71d657301d721b42c52c0252aa5fe0dbfb04f9f

SHA256
7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b

SHA512
e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\gala.exe
Filesize
4.6MB

MD5
f6829a19455a7b24a79e0b984d2a42d9

SHA1
c71d657301d721b42c52c0252aa5fe0dbfb04f9f

SHA256
7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b

SHA512
e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exe
Filesize
297KB

MD5
3091f1775af3bb34121b2caddb4eb353

SHA1
1661bf18cf8d266b2c3f1ac50c282dc945e568c8

SHA256
2282a4fcfa986d6781501636dfd04375c471e05fdfcb65732b088211bd9fff72

SHA512
70f1406e446944459f8488db52e7589d399cfb65460028f89a7ad58d1ddc93d68ffdb942f929c1674df26adaf6478caed1c7fef2798ae490b6bfefa7ddb0b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exe
Filesize
297KB

MD5
3091f1775af3bb34121b2caddb4eb353

SHA1
1661bf18cf8d266b2c3f1ac50c282dc945e568c8

SHA256
2282a4fcfa986d6781501636dfd04375c471e05fdfcb65732b088211bd9fff72

SHA512
70f1406e446944459f8488db52e7589d399cfb65460028f89a7ad58d1ddc93d68ffdb942f929c1674df26adaf6478caed1c7fef2798ae490b6bfefa7ddb0b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
237KB

MD5
0460990761ea0b12df9d8133fb116bd7

SHA1
16d234e218b4d7963e94d5a8c1b6b273fc538f19

SHA256
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e

SHA512
0aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
237KB

MD5
0460990761ea0b12df9d8133fb116bd7

SHA1
16d234e218b4d7963e94d5a8c1b6b273fc538f19

SHA256
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e

SHA512
0aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
237KB

MD5
0460990761ea0b12df9d8133fb116bd7

SHA1
16d234e218b4d7963e94d5a8c1b6b273fc538f19

SHA256
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e

SHA512
0aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9LqYzU.ErU
Filesize
1.8MB

MD5
fffc278f07ae1be001b80ca8ee0267d2

SHA1
04d4b6c7349c9c5b0327fcfc65864d022e4128e6

SHA256
8c9042a5904e663a0f2516935ac611af817ad760994055f47fa613b4574babf2

SHA512
ce39d95b7695641f0a0539cba38c413c5a8cba3d91821f9312a809907c12d7a3ab85a7b6961161f09dba205dcdf49956f3b0c7370ab225643425b3f9d3171b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9LqyzU.ErU
Filesize
1.8MB

MD5
fffc278f07ae1be001b80ca8ee0267d2

SHA1
04d4b6c7349c9c5b0327fcfc65864d022e4128e6

SHA256
8c9042a5904e663a0f2516935ac611af817ad760994055f47fa613b4574babf2

SHA512
ce39d95b7695641f0a0539cba38c413c5a8cba3d91821f9312a809907c12d7a3ab85a7b6961161f09dba205dcdf49956f3b0c7370ab225643425b3f9d3171b51

Download Submit
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
adbaf286228c46522e50371c4be31a03

SHA1
a29d644c4663b2e2b2bd92046ba0df629537c297

SHA256
d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

SHA512
74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

Download Submit
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
adbaf286228c46522e50371c4be31a03

SHA1
a29d644c4663b2e2b2bd92046ba0df629537c297

SHA256
d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

SHA512
74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

Download Submit
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
adbaf286228c46522e50371c4be31a03

SHA1
a29d644c4663b2e2b2bd92046ba0df629537c297

SHA256
d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

SHA512
74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

Download Submit
memory/220-133-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/220-134-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/220-132-0x000000000098E000-0x00000000009AD000-memory.dmp

Filesize
124KB

Download
memory/220-142-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/220-141-0x000000000098E000-0x00000000009AD000-memory.dmp

Filesize
124KB

Download
memory/628-152-0x0000000002EF0000-0x0000000002FEE000-memory.dmp

Filesize
1016KB

Download
memory/628-162-0x0000000002FF0000-0x00000000030B5000-memory.dmp

Filesize
788KB

Download
memory/628-147-0x0000000000000000-mapping.dmp

Download
memory/628-168-0x0000000002EF0000-0x0000000002FEE000-memory.dmp

Filesize
1016KB

Download
memory/628-151-0x0000000002C90000-0x0000000002DE9000-memory.dmp

Filesize
1.3MB

Download
memory/628-163-0x00000000030C0000-0x0000000003171000-memory.dmp

Filesize
708KB

Download
memory/1172-174-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/1172-170-0x0000000000000000-mapping.dmp

Download
memory/1736-143-0x0000000000000000-mapping.dmp

Download
memory/2204-157-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/2204-156-0x00000000008C0000-0x00000000008DF000-memory.dmp

Filesize
124KB

Download
memory/2496-166-0x0000000000000000-mapping.dmp

Download
memory/3112-153-0x0000000000000000-mapping.dmp

Download
memory/3112-159-0x0000000002250000-0x000000000228E000-memory.dmp

Filesize
248KB

Download
memory/3112-158-0x000000000085C000-0x000000000088D000-memory.dmp

Filesize
196KB

Download
memory/3112-160-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/3112-161-0x000000000085C000-0x000000000088D000-memory.dmp

Filesize
196KB

Download
memory/3112-175-0x0000000005060000-0x0000000005604000-memory.dmp

Filesize
5.6MB

Download
memory/3112-176-0x0000000002A30000-0x0000000002AC2000-memory.dmp

Filesize
584KB

Download
memory/4744-144-0x0000000000000000-mapping.dmp

Download
memory/4988-140-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/4988-139-0x0000000002350000-0x000000000238E000-memory.dmp

Filesize
248KB

Download
memory/4988-138-0x00000000009CC000-0x00000000009EB000-memory.dmp

Filesize
124KB

Download
memory/4988-135-0x0000000000000000-mapping.dmp

Download