amadey | b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf

General

Target

b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf.exe
Size

244KB
MD5

58588ea18c2dcc2a1b615487e9eef4f0
SHA1

71d0005f925bdd040e73dd8431bd9425b71ab7b4
SHA256

b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf
SHA512

1beee595cd09befcada46c89fb090e74804f11f6ff1c2e8f9fb5c2a9341b06122f7adddb85c19572392d835607edbf69375917ea6ccca22d18c1b868dce29def
SSDEEP

3072:6hMyv8+z1C4MinBr652ai+bXyXsd8li6Sab2QLi3rAX4iqSWoSEJsnE2zRsF2KRh:4Mykj4NnhP+bI4XViqNMKnnzT+Mc

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.17/hfk3vK9/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000000071f-151.dat	amadey_cred_module
behavioral1/files/0x000300000000071f-152.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
44	1956	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
4896	gntuud.exe
536	gntuud.exe
2328	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4532	1488	WerFault.exe	78
1060	536	WerFault.exe	87
3504	536	WerFault.exe	87
3140	2328	WerFault.exe	93
4052	2328	WerFault.exe	93

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1956	rundll32.exe
1956	rundll32.exe
1956	rundll32.exe
1956	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4896	1488	b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf.exe	79
PID 1488 wrote to memory of 4896	1488	b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf.exe	79
PID 1488 wrote to memory of 4896	1488	b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf.exe	79
PID 4896 wrote to memory of 1608	4896	gntuud.exe	85
PID 4896 wrote to memory of 1608	4896	gntuud.exe	85
PID 4896 wrote to memory of 1608	4896	gntuud.exe	85
PID 4896 wrote to memory of 1956	4896	gntuud.exe	92
PID 4896 wrote to memory of 1956	4896	gntuud.exe	92
PID 4896 wrote to memory of 1956	4896	gntuud.exe	92

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf.exe
"C:\Users\Admin\AppData\Local\Temp\b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1608
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1140
  2⤵
  - Program crash
  PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1488 -ip 1488
1⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
1⤵
- Executes dropped EXE
PID:536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 460
  2⤵
  - Program crash
  PID:1060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 480
  2⤵
  - Program crash
  PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 536 -ip 536
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 536 -ip 536
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
1⤵
- Executes dropped EXE
PID:2328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 460
  2⤵
  - Program crash
  PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 480
  2⤵
  - Program crash
  PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2328 -ip 2328
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2328 -ip 2328
1⤵
PID:3460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
244KB

MD5
58588ea18c2dcc2a1b615487e9eef4f0

SHA1
71d0005f925bdd040e73dd8431bd9425b71ab7b4

SHA256
b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf

SHA512
1beee595cd09befcada46c89fb090e74804f11f6ff1c2e8f9fb5c2a9341b06122f7adddb85c19572392d835607edbf69375917ea6ccca22d18c1b868dce29def

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
244KB

MD5
58588ea18c2dcc2a1b615487e9eef4f0

SHA1
71d0005f925bdd040e73dd8431bd9425b71ab7b4

SHA256
b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf

SHA512
1beee595cd09befcada46c89fb090e74804f11f6ff1c2e8f9fb5c2a9341b06122f7adddb85c19572392d835607edbf69375917ea6ccca22d18c1b868dce29def

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
244KB

MD5
58588ea18c2dcc2a1b615487e9eef4f0

SHA1
71d0005f925bdd040e73dd8431bd9425b71ab7b4

SHA256
b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf

SHA512
1beee595cd09befcada46c89fb090e74804f11f6ff1c2e8f9fb5c2a9341b06122f7adddb85c19572392d835607edbf69375917ea6ccca22d18c1b868dce29def

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
244KB

MD5
58588ea18c2dcc2a1b615487e9eef4f0

SHA1
71d0005f925bdd040e73dd8431bd9425b71ab7b4

SHA256
b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf

SHA512
1beee595cd09befcada46c89fb090e74804f11f6ff1c2e8f9fb5c2a9341b06122f7adddb85c19572392d835607edbf69375917ea6ccca22d18c1b868dce29def

Download Submit
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll

Filesize
126KB

MD5
adbaf286228c46522e50371c4be31a03

SHA1
a29d644c4663b2e2b2bd92046ba0df629537c297

SHA256
d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

SHA512
74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

Download Submit
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll

Filesize
126KB

MD5
adbaf286228c46522e50371c4be31a03

SHA1
a29d644c4663b2e2b2bd92046ba0df629537c297

SHA256
d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0

SHA512
74a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d

Download Submit
memory/536-146-0x000000000060F000-0x000000000062E000-memory.dmp

Filesize
124KB

Download
memory/536-149-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/536-148-0x000000000060F000-0x000000000062E000-memory.dmp

Filesize
124KB

Download
memory/536-147-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1488-133-0x00000000021C0000-0x00000000021FE000-memory.dmp

Filesize
248KB

Download
memory/1488-134-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1488-132-0x00000000004ED000-0x000000000050C000-memory.dmp

Filesize
124KB

Download
memory/1488-142-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1488-141-0x00000000004ED000-0x000000000050C000-memory.dmp

Filesize
124KB

Download
memory/2328-154-0x000000000067F000-0x000000000069E000-memory.dmp

Filesize
124KB

Download
memory/2328-155-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2328-156-0x000000000067F000-0x000000000069E000-memory.dmp

Filesize
124KB

Download
memory/2328-157-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4896-140-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4896-143-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/4896-139-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads