amadey | b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae

Analysis

max time kernel
139s
max time network
133s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
27/11/2022, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe
Size

209KB
MD5

837e602c1c99e5b1a1c222dae09ce30f
SHA1

4de8c0574230139aa4f840ffda05e58ee9771f71
SHA256

b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae
SHA512

b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f
SSDEEP

3072:0744wqfFImJjYd4LOy4W5l1df8NduLtDLmPaZqL1ylO/fHFyGEjgjdHg20cTSVFU:fEbJ24LOK3Z6PIa1yCfH8GjpHg2cn74

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

31.41.244.17/hfk3vK9/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000015567-297.dat	amadey_cred_module
behavioral1/files/0x0003000000015567-298.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	4984	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4120	gntuud.exe
3912	gntuud.exe
4248	gntuud.exe

Loads dropped DLL 1 IoCs

pid	Process
4984	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4984	rundll32.exe
4984	rundll32.exe
4984	rundll32.exe
4984	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4120	2124	b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe	66
PID 2124 wrote to memory of 4120	2124	b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe	66
PID 2124 wrote to memory of 4120	2124	b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe	66
PID 4120 wrote to memory of 4952	4120	gntuud.exe	67
PID 4120 wrote to memory of 4952	4120	gntuud.exe	67
PID 4120 wrote to memory of 4952	4120	gntuud.exe	67
PID 4120 wrote to memory of 4984	4120	gntuud.exe	69
PID 4120 wrote to memory of 4984	4120	gntuud.exe	69
PID 4120 wrote to memory of 4984	4120	gntuud.exe	69

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe
"C:\Users\Admin\AppData\Local\Temp\b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4952
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:4984

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
1⤵
- Executes dropped EXE
PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
209KB

MD5
837e602c1c99e5b1a1c222dae09ce30f

SHA1
4de8c0574230139aa4f840ffda05e58ee9771f71

SHA256
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae

SHA512
b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
209KB

MD5
837e602c1c99e5b1a1c222dae09ce30f

SHA1
4de8c0574230139aa4f840ffda05e58ee9771f71

SHA256
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae

SHA512
b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
209KB

MD5
837e602c1c99e5b1a1c222dae09ce30f

SHA1
4de8c0574230139aa4f840ffda05e58ee9771f71

SHA256
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae

SHA512
b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
209KB

MD5
837e602c1c99e5b1a1c222dae09ce30f

SHA1
4de8c0574230139aa4f840ffda05e58ee9771f71

SHA256
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae

SHA512
b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f

Download Submit
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll

Filesize
126KB

MD5
adbaf286228c46522e50371c4be31a03

SHA1
a29d644c4663b2e2b2bd92046ba0df629537c297

SHA256
d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

SHA512
74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll

Filesize
126KB

MD5
adbaf286228c46522e50371c4be31a03

SHA1
a29d644c4663b2e2b2bd92046ba0df629537c297

SHA256
d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

SHA512
74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

Download Submit
memory/2124-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-127-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-135-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-144-0x000000000066A000-0x0000000000689000-memory.dmp

Filesize
124KB

Download
memory/2124-145-0x00000000004C0000-0x00000000004FE000-memory.dmp

Filesize
248KB

Download
memory/2124-146-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-154-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-157-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-158-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-159-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-124-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-162-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2124-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-167-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-177-0x00000000004C0000-0x00000000004FE000-memory.dmp

Filesize
248KB

Download
memory/2124-179-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2124-174-0x000000000066A000-0x0000000000689000-memory.dmp

Filesize
124KB

Download
memory/2124-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3912-375-0x00000000006EE000-0x000000000070D000-memory.dmp

Filesize
124KB

Download
memory/3912-376-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4120-188-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-187-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-186-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-191-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-189-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-185-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-190-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-184-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-219-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/4120-255-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/4120-220-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4120-256-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4120-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4120-192-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-412-0x00000000006EE000-0x000000000070D000-memory.dmp

Filesize
124KB

Download
memory/4248-413-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download