amadey | 5b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70

Analysis

max time kernel
184s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

260KB
MD5

cc0625d0a816c1e97a8ee955bb2c0d54
SHA1

034096104494e5d85088e086c5d26901a3b13451
SHA256

5b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70
SHA512

9091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130
SSDEEP

3072:Epj/dI4OwMl+Ui5jA68sgHoSw8ULsjlF33079UQ1mRcN8k8+zq27Aa/FBjfhTDwO:WMl+D8sgeKpFWBY+NDz17NFBju02s+

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

62.204.41.6/p9cWxH/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

59 4316 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

gntuud.exegntuud.exelinda5.exegntuud.exe

pid process

4204 gntuud.exe
4444 gntuud.exe
1884 linda5.exe
1364 gntuud.exe

flow	pid	process
59	4316	rundll32.exe

pid	process
4204	gntuud.exe
4444	gntuud.exe
1884	linda5.exe
1364	gntuud.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exegntuud.exelinda5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	linda5.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4316 rundll32.exe
2820 rundll32.exe
2820 rundll32.exe
4068 rundll32.exe
4068 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4316	rundll32.exe
2820	rundll32.exe
2820	rundll32.exe
4068	rundll32.exe
4068	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1388 4004 WerFault.exe file.exe
364 4444 WerFault.exe gntuud.exe
1856 1364 WerFault.exe gntuud.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

320 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4316 rundll32.exe
4316 rundll32.exe
4316 rundll32.exe
4316 rundll32.exe

pid	pid_target	process	target process
1388	4004	WerFault.exe	file.exe
364	4444	WerFault.exe	gntuud.exe
1856	1364	WerFault.exe	gntuud.exe

pid	process
320	schtasks.exe

pid	process
4316	rundll32.exe
4316	rundll32.exe
4316	rundll32.exe
4316	rundll32.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

file.exegntuud.exelinda5.execontrol.exerundll32.exe

description	pid	process	target process
PID 4004 wrote to memory of 4204	4004	file.exe	gntuud.exe
PID 4004 wrote to memory of 4204	4004	file.exe	gntuud.exe
PID 4004 wrote to memory of 4204	4004	file.exe	gntuud.exe
PID 4204 wrote to memory of 320	4204	gntuud.exe	schtasks.exe
PID 4204 wrote to memory of 320	4204	gntuud.exe	schtasks.exe
PID 4204 wrote to memory of 320	4204	gntuud.exe	schtasks.exe
PID 4204 wrote to memory of 1884	4204	gntuud.exe	linda5.exe
PID 4204 wrote to memory of 1884	4204	gntuud.exe	linda5.exe
PID 4204 wrote to memory of 1884	4204	gntuud.exe	linda5.exe
PID 4204 wrote to memory of 4316	4204	gntuud.exe	rundll32.exe
PID 4204 wrote to memory of 4316	4204	gntuud.exe	rundll32.exe
PID 4204 wrote to memory of 4316	4204	gntuud.exe	rundll32.exe
PID 1884 wrote to memory of 1624	1884	linda5.exe	control.exe
PID 1884 wrote to memory of 1624	1884	linda5.exe	control.exe
PID 1884 wrote to memory of 1624	1884	linda5.exe	control.exe
PID 1624 wrote to memory of 2820	1624	control.exe	rundll32.exe
PID 1624 wrote to memory of 2820	1624	control.exe	rundll32.exe
PID 1624 wrote to memory of 2820	1624	control.exe	rundll32.exe
PID 2820 wrote to memory of 5048	2820	rundll32.exe	RunDll32.exe
PID 2820 wrote to memory of 5048	2820	rundll32.exe	RunDll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:320

C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\t725LbZ.A
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\t725LbZ.A
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\t725LbZ.A
6⤵
PID:5048

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\t725LbZ.A
7⤵
- Loads dropped DLL
PID:4068

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1140
2⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4004 -ip 4004
1⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 416
2⤵
- Program crash
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4444 -ip 4444
1⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 424
2⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1364 -ip 1364
1⤵
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe
Filesize
1.6MB

MD5
678c0bd00c5575055ab836ab9e6a3e21

SHA1
9968f7715492a1a0e1c610524175e8f854f6b0da

SHA256
318ff4836b8ced8563567e136200d50f344880b4f3a4f23e96585ff5f37809da

SHA512
86a66ba7faef681ad9096b8d6117bd738c2e5e9cc5bd5278bcd64ad1709f9f009006110b73934d8be18fca228a3c06fa20bdc45e1b6b54c9c60dc149fd465321

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe
Filesize
1.6MB

MD5
678c0bd00c5575055ab836ab9e6a3e21

SHA1
9968f7715492a1a0e1c610524175e8f854f6b0da

SHA256
318ff4836b8ced8563567e136200d50f344880b4f3a4f23e96585ff5f37809da

SHA512
86a66ba7faef681ad9096b8d6117bd738c2e5e9cc5bd5278bcd64ad1709f9f009006110b73934d8be18fca228a3c06fa20bdc45e1b6b54c9c60dc149fd465321

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
260KB

MD5
cc0625d0a816c1e97a8ee955bb2c0d54

SHA1
034096104494e5d85088e086c5d26901a3b13451

SHA256
5b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70

SHA512
9091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
260KB

MD5
cc0625d0a816c1e97a8ee955bb2c0d54

SHA1
034096104494e5d85088e086c5d26901a3b13451

SHA256
5b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70

SHA512
9091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
260KB

MD5
cc0625d0a816c1e97a8ee955bb2c0d54

SHA1
034096104494e5d85088e086c5d26901a3b13451

SHA256
5b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70

SHA512
9091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
260KB

MD5
cc0625d0a816c1e97a8ee955bb2c0d54

SHA1
034096104494e5d85088e086c5d26901a3b13451

SHA256
5b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70

SHA512
9091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130

Download Submit
C:\Users\Admin\AppData\Local\Temp\t725LbZ.A
Filesize
2.8MB

MD5
2b47fe6e0c79d350ac1569096f179b40

SHA1
e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d

SHA256
fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169

SHA512
1e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\t725lbZ.a
Filesize
2.8MB

MD5
2b47fe6e0c79d350ac1569096f179b40

SHA1
e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d

SHA256
fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169

SHA512
1e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\t725lbZ.a
Filesize
2.8MB

MD5
2b47fe6e0c79d350ac1569096f179b40

SHA1
e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d

SHA256
fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169

SHA512
1e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\t725lbZ.a
Filesize
2.8MB

MD5
2b47fe6e0c79d350ac1569096f179b40

SHA1
e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d

SHA256
fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169

SHA512
1e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\t725lbZ.a
Filesize
2.8MB

MD5
2b47fe6e0c79d350ac1569096f179b40

SHA1
e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d

SHA256
fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169

SHA512
1e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
memory/320-140-0x0000000000000000-mapping.dmp

Download
memory/1364-178-0x000000000073B000-0x000000000075B000-memory.dmp

Filesize
128KB

Download
memory/1364-179-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1624-153-0x0000000000000000-mapping.dmp

Download
memory/1884-147-0x0000000000000000-mapping.dmp

Download
memory/2820-154-0x0000000000000000-mapping.dmp

Download
memory/2820-159-0x00000000031A0000-0x0000000003416000-memory.dmp

Filesize
2.5MB

Download
memory/2820-165-0x0000000003540000-0x0000000003654000-memory.dmp

Filesize
1.1MB

Download
memory/2820-162-0x0000000003760000-0x0000000003839000-memory.dmp

Filesize
868KB

Download
memory/2820-161-0x0000000003660000-0x0000000003751000-memory.dmp

Filesize
964KB

Download
memory/2820-160-0x0000000003540000-0x0000000003654000-memory.dmp

Filesize
1.1MB

Download
memory/2820-158-0x0000000002B50000-0x0000000002E18000-memory.dmp

Filesize
2.8MB

Download
memory/4004-142-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4004-133-0x0000000002070000-0x00000000020AE000-memory.dmp

Filesize
248KB

Download
memory/4004-134-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4004-132-0x00000000004D9000-0x00000000004F8000-memory.dmp

Filesize
124KB

Download
memory/4004-141-0x00000000004D9000-0x00000000004F8000-memory.dmp

Filesize
124KB

Download
memory/4068-170-0x0000000003560000-0x00000000037D6000-memory.dmp

Filesize
2.5MB

Download
memory/4068-177-0x0000000003900000-0x0000000003A14000-memory.dmp

Filesize
1.1MB

Download
memory/4068-173-0x0000000003B20000-0x0000000003BF9000-memory.dmp

Filesize
868KB

Download
memory/4068-172-0x0000000003A20000-0x0000000003B11000-memory.dmp

Filesize
964KB

Download
memory/4068-171-0x0000000003900000-0x0000000003A14000-memory.dmp

Filesize
1.1MB

Download
memory/4068-169-0x0000000002F10000-0x00000000031D8000-memory.dmp

Filesize
2.8MB

Download
memory/4204-138-0x0000000000828000-0x0000000000847000-memory.dmp

Filesize
124KB

Download
memory/4204-139-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4204-135-0x0000000000000000-mapping.dmp

Download
memory/4204-143-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4316-149-0x0000000000000000-mapping.dmp

Download
memory/4444-146-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4444-145-0x000000000058B000-0x00000000005AA000-memory.dmp

Filesize
124KB

Download
memory/5048-166-0x0000000000000000-mapping.dmp

Download