Overview

overview

10

Static

static

10

spicis4.amdy.exe

windows7-x64

10

spicis4.amdy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    247s
  • max time network
    310s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spicis4.amdy.exe

  • Size

    2.8MB

  • MD5

    26fa97abd73e1517729549b2b27d03a2

  • SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

  • SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

  • SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

  • SSDEEP

    49152:6skDShXlT0EeNYaDbp9CN/BRh0MvaBtb6iOPXk3:VXXd0Epanp9IBRPv2tSk

Score
10/10
amadeycollectionevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.134.68/hfk3vK9/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 6 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 6 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Themida packer 33 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks whether UAC is enabled 1 TTPs 7 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\spicis4.amdy.exe
    "C:\Users\Admin\AppData\Local\Temp\spicis4.amdy.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:968
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_win_path
        PID:1496
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {54A40627-259C-4223-8B8A-3E5093BFE48B} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      PID:1988
    • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      PID:1192
    • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      PID:756
    • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      PID:2012
    • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll
    Filesize

    126KB

    MD5

    45de67357d1bbf74eb306173dba0a950

    SHA1

    d255f695f2a3f4aacbc8208af65cfc3037ce2c7b

    SHA256

    8b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92

    SHA512

    7a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe
    Filesize

    2.8MB

    MD5

    26fa97abd73e1517729549b2b27d03a2

    SHA1

    f74d14de09519cc6a8f77d867bcc20a554fabe89

    SHA256

    af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc

    SHA512

    d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a

    Download Submit
  • \Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll
    Filesize

    126KB

    MD5

    45de67357d1bbf74eb306173dba0a950

    SHA1

    d255f695f2a3f4aacbc8208af65cfc3037ce2c7b

    SHA256

    8b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92

    SHA512

    7a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23

    Download Submit
  • \Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll
    Filesize

    126KB

    MD5

    45de67357d1bbf74eb306173dba0a950

    SHA1

    d255f695f2a3f4aacbc8208af65cfc3037ce2c7b

    SHA256

    8b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92

    SHA512

    7a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23

    Download Submit
  • \Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll
    Filesize

    126KB

    MD5

    45de67357d1bbf74eb306173dba0a950

    SHA1

    d255f695f2a3f4aacbc8208af65cfc3037ce2c7b

    SHA256

    8b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92

    SHA512

    7a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23

    Download Submit
  • \Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll
    Filesize

    126KB

    MD5

    45de67357d1bbf74eb306173dba0a950

    SHA1

    d255f695f2a3f4aacbc8208af65cfc3037ce2c7b

    SHA256

    8b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92

    SHA512

    7a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23

    Download Submit
  • memory/756-96-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/756-92-0x0000000000000000-mapping.dmp
    Download
  • memory/756-97-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/756-95-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/968-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1192-83-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1192-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1192-91-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1192-90-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1192-81-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1224-66-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1224-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1224-64-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1224-76-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1224-65-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1496-89-0x0000000000170000-0x0000000000194000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1496-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-109-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1780-104-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-108-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1780-107-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1988-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-75-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1988-74-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1988-72-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2012-62-0x0000000000A50000-0x0000000000D1D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2012-101-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2012-102-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2012-103-0x0000000001360000-0x000000000162D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2012-56-0x0000000000A50000-0x0000000000D1D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2012-55-0x0000000000A50000-0x0000000000D1D000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2012-98-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2012-57-0x0000000000A50000-0x0000000000D1D000-memory.dmp
    Filesize

    2.8MB

    Download