amadey | 5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

General

Target

0953f9309090c246bfebc27755e19196.exe
Size

244KB
MD5

0953f9309090c246bfebc27755e19196
SHA1

3fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA256

5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA512

9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
SSDEEP

3072:AA6Q0naMOSyeOSZC5tK+famEKPFcDoOi1caRJ+6/lr9LHKtWWdUgUDIlUBsDAbEt:1JSyeOSuHCZD+11RJ+4nL7gLU/Ea

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.252/nB8cWack3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001e82a-149.dat	amadey_cred_module
behavioral2/files/0x000700000001e82a-150.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
33	3616	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4796	gntuud.exe
4200	gntuud.exe
2800	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0953f9309090c246bfebc27755e19196.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 1 IoCs

pid	Process
3616	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1396	2564	WerFault.exe	79
960	4200	WerFault.exe	93
3228	2800	WerFault.exe	97

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 4796	2564	0953f9309090c246bfebc27755e19196.exe	80
PID 2564 wrote to memory of 4796	2564	0953f9309090c246bfebc27755e19196.exe	80
PID 2564 wrote to memory of 4796	2564	0953f9309090c246bfebc27755e19196.exe	80
PID 4796 wrote to memory of 1296	4796	gntuud.exe	84
PID 4796 wrote to memory of 1296	4796	gntuud.exe	84
PID 4796 wrote to memory of 1296	4796	gntuud.exe	84
PID 4796 wrote to memory of 3616	4796	gntuud.exe	96
PID 4796 wrote to memory of 3616	4796	gntuud.exe	96
PID 4796 wrote to memory of 3616	4796	gntuud.exe	96

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0953f9309090c246bfebc27755e19196.exe
"C:\Users\Admin\AppData\Local\Temp\0953f9309090c246bfebc27755e19196.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1296
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:3616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 908
  2⤵
  - Program crash
  PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2564 -ip 2564
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 424
  2⤵
  - Program crash
  PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4200 -ip 4200
1⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:2800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 416
  2⤵
  - Program crash
  PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2800 -ip 2800
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
memory/1296-141-0x0000000000000000-mapping.dmp

Download
memory/2564-138-0x0000000000668000-0x0000000000687000-memory.dmp

Filesize
124KB

Download
memory/2564-139-0x0000000000610000-0x000000000064E000-memory.dmp

Filesize
248KB

Download
memory/2564-140-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2564-134-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2564-133-0x0000000000610000-0x000000000064E000-memory.dmp

Filesize
248KB

Download
memory/2564-132-0x0000000000668000-0x0000000000687000-memory.dmp

Filesize
124KB

Download
memory/2800-152-0x00000000004FC000-0x000000000051B000-memory.dmp

Filesize
124KB

Download
memory/2800-153-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3616-148-0x0000000000000000-mapping.dmp

Download
memory/4200-147-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4200-146-0x000000000063C000-0x000000000065B000-memory.dmp

Filesize
124KB

Download
memory/4796-144-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4796-143-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4796-142-0x00000000006A8000-0x00000000006C7000-memory.dmp

Filesize
124KB

Download
memory/4796-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads