Analysis
-
max time kernel
125s -
max time network
159s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
26-11-2022 03:52
General
-
Target
d895a1fe45b9330f314baf1833f5663f1bcd29be84f03052ed157127ad4ee479.exe
-
Size
780KB
-
MD5
f0c185e6b021663740d2fd5521a20c33
-
SHA1
40b4657f8dc47318dc869f5dc1c037633510260c
-
SHA256
d895a1fe45b9330f314baf1833f5663f1bcd29be84f03052ed157127ad4ee479
-
SHA512
17ca79e985019f56630ddd533371e6e9297f77832a3ee11779c3c5b5b6e8bde08db113dad7d8e8ccb905d4b5a512a588de7138f97bc81a5cc14c67955aee77d0
-
SSDEEP
12288:M7T+kWJc7161BOrx4l/7B1pVqfjKh1OWUsIOiizzMRK34+NBR:MnVr71OK8Dn2bKfYlizz0K3x
Malware Config
Extracted
amadey
3.50
77.73.134.65/o7VsjdSa2f/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 3 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d895a1fe45b9330f314baf1833f5663f1bcd29be84f03052ed157127ad4ee479.exe"C:\Users\Admin\AppData\Local\Temp\d895a1fe45b9330f314baf1833f5663f1bcd29be84f03052ed157127ad4ee479.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeC:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeC:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeFilesize
780KB
MD5f0c185e6b021663740d2fd5521a20c33
SHA140b4657f8dc47318dc869f5dc1c037633510260c
SHA256d895a1fe45b9330f314baf1833f5663f1bcd29be84f03052ed157127ad4ee479
SHA51217ca79e985019f56630ddd533371e6e9297f77832a3ee11779c3c5b5b6e8bde08db113dad7d8e8ccb905d4b5a512a588de7138f97bc81a5cc14c67955aee77d0
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeFilesize
780KB
MD5f0c185e6b021663740d2fd5521a20c33
SHA140b4657f8dc47318dc869f5dc1c037633510260c
SHA256d895a1fe45b9330f314baf1833f5663f1bcd29be84f03052ed157127ad4ee479
SHA51217ca79e985019f56630ddd533371e6e9297f77832a3ee11779c3c5b5b6e8bde08db113dad7d8e8ccb905d4b5a512a588de7138f97bc81a5cc14c67955aee77d0
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeFilesize
780KB
MD5f0c185e6b021663740d2fd5521a20c33
SHA140b4657f8dc47318dc869f5dc1c037633510260c
SHA256d895a1fe45b9330f314baf1833f5663f1bcd29be84f03052ed157127ad4ee479
SHA51217ca79e985019f56630ddd533371e6e9297f77832a3ee11779c3c5b5b6e8bde08db113dad7d8e8ccb905d4b5a512a588de7138f97bc81a5cc14c67955aee77d0
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeFilesize
780KB
MD5f0c185e6b021663740d2fd5521a20c33
SHA140b4657f8dc47318dc869f5dc1c037633510260c
SHA256d895a1fe45b9330f314baf1833f5663f1bcd29be84f03052ed157127ad4ee479
SHA51217ca79e985019f56630ddd533371e6e9297f77832a3ee11779c3c5b5b6e8bde08db113dad7d8e8ccb905d4b5a512a588de7138f97bc81a5cc14c67955aee77d0
-
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dllFilesize
126KB
MD5f6d14701e7c568254151e153f7763672
SHA14501ffb7284f29cca51b06deba0262b8d33f93f6
SHA256e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
SHA51262c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
-
\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dllFilesize
126KB
MD5f6d14701e7c568254151e153f7763672
SHA14501ffb7284f29cca51b06deba0262b8d33f93f6
SHA256e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
SHA51262c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
-
\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dllFilesize
126KB
MD5f6d14701e7c568254151e153f7763672
SHA14501ffb7284f29cca51b06deba0262b8d33f93f6
SHA256e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
SHA51262c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
-
memory/1224-432-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/3608-188-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-183-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-174-0x0000000000000000-mapping.dmp
-
memory/3608-186-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-187-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-232-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/3608-185-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-189-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-182-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-181-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-179-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-178-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-177-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-176-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3608-258-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/3968-140-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-172-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-145-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-146-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-147-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-148-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-149-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-150-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-151-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-152-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-153-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-154-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-155-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-156-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-157-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-158-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-159-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-160-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-161-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-162-0x00000000024E0000-0x000000000253C000-memory.dmpFilesize
368KB
-
memory/3968-163-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-164-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-165-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-166-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-167-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/3968-168-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-169-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-170-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-171-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-144-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-173-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-143-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-142-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-141-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-120-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-139-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-138-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-137-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-180-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/3968-136-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-135-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-134-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-133-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-132-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-131-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-130-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-129-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-121-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-128-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-127-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-126-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-122-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-123-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-125-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/3968-124-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/4140-302-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/4764-230-0x0000000000000000-mapping.dmp
-
memory/4972-303-0x0000000000000000-mapping.dmp