amadey | 5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

Analysis

max time kernel
98s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0953f9309090c246bfebc27755e19196.exe
Size

244KB
MD5

0953f9309090c246bfebc27755e19196
SHA1

3fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA256

5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA512

9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
SSDEEP

3072:AA6Q0naMOSyeOSZC5tK+famEKPFcDoOi1caRJ+6/lr9LHKtWWdUgUDIlUBsDAbEt:1JSyeOSuHCZD+11RJ+4nL7gLU/Ea

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

62.204.41.252/nB8cWack3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 6 IoCs

resource	yara_rule
behavioral1/files/0x0007000000013aad-79.dat	amadey_cred_module
behavioral1/files/0x0007000000013aad-83.dat	amadey_cred_module
behavioral1/memory/1516-84-0x0000000000280000-0x00000000002A4000-memory.dmp	amadey_cred_module
behavioral1/files/0x0007000000013aad-82.dat	amadey_cred_module
behavioral1/files/0x0007000000013aad-81.dat	amadey_cred_module
behavioral1/files/0x0007000000013aad-80.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1516	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
1144	gntuud.exe
1580	gntuud.exe
828	gntuud.exe

Loads dropped DLL 6 IoCs

pid	Process
1388	0953f9309090c246bfebc27755e19196.exe
1388	0953f9309090c246bfebc27755e19196.exe
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1144	1388	0953f9309090c246bfebc27755e19196.exe	26
PID 1388 wrote to memory of 1144	1388	0953f9309090c246bfebc27755e19196.exe	26
PID 1388 wrote to memory of 1144	1388	0953f9309090c246bfebc27755e19196.exe	26
PID 1388 wrote to memory of 1144	1388	0953f9309090c246bfebc27755e19196.exe	26
PID 1144 wrote to memory of 792	1144	gntuud.exe	27
PID 1144 wrote to memory of 792	1144	gntuud.exe	27
PID 1144 wrote to memory of 792	1144	gntuud.exe	27
PID 1144 wrote to memory of 792	1144	gntuud.exe	27
PID 1164 wrote to memory of 1580	1164	taskeng.exe	32
PID 1164 wrote to memory of 1580	1164	taskeng.exe	32
PID 1164 wrote to memory of 1580	1164	taskeng.exe	32
PID 1164 wrote to memory of 1580	1164	taskeng.exe	32
PID 1144 wrote to memory of 1516	1144	gntuud.exe	33
PID 1144 wrote to memory of 1516	1144	gntuud.exe	33
PID 1144 wrote to memory of 1516	1144	gntuud.exe	33
PID 1144 wrote to memory of 1516	1144	gntuud.exe	33
PID 1144 wrote to memory of 1516	1144	gntuud.exe	33
PID 1144 wrote to memory of 1516	1144	gntuud.exe	33
PID 1144 wrote to memory of 1516	1144	gntuud.exe	33
PID 1164 wrote to memory of 828	1164	taskeng.exe	34
PID 1164 wrote to memory of 828	1164	taskeng.exe	34
PID 1164 wrote to memory of 828	1164	taskeng.exe	34
PID 1164 wrote to memory of 828	1164	taskeng.exe	34

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0953f9309090c246bfebc27755e19196.exe
"C:\Users\Admin\AppData\Local\Temp\0953f9309090c246bfebc27755e19196.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:792
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:1516

C:\Windows\system32\taskeng.exe
taskeng.exe {DD2AB679-972D-402D-B183-1032833D1F44} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
  C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
  C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
  2⤵
  - Executes dropped EXE
  PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
memory/792-68-0x0000000000000000-mapping.dmp

Download
memory/828-85-0x0000000000000000-mapping.dmp

Download
memory/828-88-0x000000000060B000-0x000000000062A000-memory.dmp

Filesize
124KB

Download
memory/828-89-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1144-60-0x0000000000000000-mapping.dmp

Download
memory/1144-66-0x000000000058B000-0x00000000005AA000-memory.dmp

Filesize
124KB

Download
memory/1144-67-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1144-70-0x000000000058B000-0x00000000005AA000-memory.dmp

Filesize
124KB

Download
memory/1144-71-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1388-62-0x000000000028B000-0x00000000002AA000-memory.dmp

Filesize
124KB

Download
memory/1388-64-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1388-63-0x0000000000480000-0x00000000004BE000-memory.dmp

Filesize
248KB

Download
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1388-57-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1388-56-0x0000000000480000-0x00000000004BE000-memory.dmp

Filesize
248KB

Download
memory/1388-55-0x000000000028B000-0x00000000002AA000-memory.dmp

Filesize
124KB

Download
memory/1516-77-0x0000000000000000-mapping.dmp

Download
memory/1516-84-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/1580-76-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1580-75-0x000000000065B000-0x000000000067A000-memory.dmp

Filesize
124KB

Download
memory/1580-72-0x0000000000000000-mapping.dmp

Download