amadey | 7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8

Analysis

max time kernel
194s
max time network
257s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

332KB
MD5

cb224fa9c997ca170553d96aedc36f5e
SHA1

40fe73f63ad3eee278f194c321419595f61dad91
SHA256

7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
SHA512

c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
SSDEEP

6144:ZaR9xA3l8Er8vQ4Ifmc6PoJG4iKWzujBNfIDcJbDTVS:ZaR7AVjrmDoZ6PoJGcwDcJbXVS

Score

10^/10

amadey redline wish collection infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

62.204.41.6/p9cWxH/index.php

Extracted

Family

redline

Botnet

Wish

31.41.244.14:4694

Attributes

auth_value
836b5b05c28f01127949ef1e84b93e92

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 860 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

gntuud.exewish.exebuild333333.exe

pid process

528 gntuud.exe
108 wish.exe
1160 build333333.exe
Loads dropped DLL 9 IoCs

Processes:

file.exerundll32.exegntuud.exe

pid process

1164 file.exe
1164 file.exe
860 rundll32.exe
860 rundll32.exe
860 rundll32.exe
860 rundll32.exe
528 gntuud.exe
528 gntuud.exe
528 gntuud.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	860	rundll32.exe

pid	process
528	gntuud.exe
108	wish.exe
1160	build333333.exe

pid	process
1164	file.exe
1164	file.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
528	gntuud.exe
528	gntuud.exe
528	gntuud.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wish.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000012001\\wish.exe"	gntuud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1280 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

860 rundll32.exe
860 rundll32.exe
860 rundll32.exe
860 rundll32.exe

pid	process
1280	schtasks.exe

pid	process
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

file.exegntuud.exe

description	pid	process	target process
PID 1164 wrote to memory of 528	1164	file.exe	gntuud.exe
PID 1164 wrote to memory of 528	1164	file.exe	gntuud.exe
PID 1164 wrote to memory of 528	1164	file.exe	gntuud.exe
PID 1164 wrote to memory of 528	1164	file.exe	gntuud.exe
PID 528 wrote to memory of 1280	528	gntuud.exe	schtasks.exe
PID 528 wrote to memory of 1280	528	gntuud.exe	schtasks.exe
PID 528 wrote to memory of 1280	528	gntuud.exe	schtasks.exe
PID 528 wrote to memory of 1280	528	gntuud.exe	schtasks.exe
PID 528 wrote to memory of 860	528	gntuud.exe	rundll32.exe
PID 528 wrote to memory of 860	528	gntuud.exe	rundll32.exe
PID 528 wrote to memory of 860	528	gntuud.exe	rundll32.exe
PID 528 wrote to memory of 860	528	gntuud.exe	rundll32.exe
PID 528 wrote to memory of 860	528	gntuud.exe	rundll32.exe
PID 528 wrote to memory of 860	528	gntuud.exe	rundll32.exe
PID 528 wrote to memory of 860	528	gntuud.exe	rundll32.exe
PID 528 wrote to memory of 108	528	gntuud.exe	wish.exe
PID 528 wrote to memory of 108	528	gntuud.exe	wish.exe
PID 528 wrote to memory of 108	528	gntuud.exe	wish.exe
PID 528 wrote to memory of 108	528	gntuud.exe	wish.exe
PID 528 wrote to memory of 1160	528	gntuud.exe	build333333.exe
PID 528 wrote to memory of 1160	528	gntuud.exe	build333333.exe
PID 528 wrote to memory of 1160	528	gntuud.exe	build333333.exe
PID 528 wrote to memory of 1160	528	gntuud.exe	build333333.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:1280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:860

C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe"
3⤵
- Executes dropped EXE
PID:108

C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe"
3⤵
- Executes dropped EXE
PID:1160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe
Filesize
175KB

MD5
8b08fce2936c8363994dda1d6e9ddadf

SHA1
15cfdfe6e406c0e69d2e6261b898b97eed6f34e2

SHA256
3f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991

SHA512
925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe
Filesize
175KB

MD5
8b08fce2936c8363994dda1d6e9ddadf

SHA1
15cfdfe6e406c0e69d2e6261b898b97eed6f34e2

SHA256
3f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991

SHA512
925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe
Filesize
2.9MB

MD5
c9c15c4061ab4de4cb7c473c2760f923

SHA1
e64cbcd186178d44a1e8584c417b7d865417be0b

SHA256
d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e

SHA512
6fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
cb224fa9c997ca170553d96aedc36f5e

SHA1
40fe73f63ad3eee278f194c321419595f61dad91

SHA256
7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8

SHA512
c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
cb224fa9c997ca170553d96aedc36f5e

SHA1
40fe73f63ad3eee278f194c321419595f61dad91

SHA256
7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8

SHA512
c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
\Users\Admin\AppData\Local\Temp\1000012001\wish.exe
Filesize
175KB

MD5
8b08fce2936c8363994dda1d6e9ddadf

SHA1
15cfdfe6e406c0e69d2e6261b898b97eed6f34e2

SHA256
3f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991

SHA512
925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67

Download Submit
\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe
Filesize
2.9MB

MD5
c9c15c4061ab4de4cb7c473c2760f923

SHA1
e64cbcd186178d44a1e8584c417b7d865417be0b

SHA256
d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e

SHA512
6fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367

Download Submit
\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe
Filesize
2.9MB

MD5
c9c15c4061ab4de4cb7c473c2760f923

SHA1
e64cbcd186178d44a1e8584c417b7d865417be0b

SHA256
d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e

SHA512
6fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367

Download Submit
\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
cb224fa9c997ca170553d96aedc36f5e

SHA1
40fe73f63ad3eee278f194c321419595f61dad91

SHA256
7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8

SHA512
c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729

Download Submit
\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
cb224fa9c997ca170553d96aedc36f5e

SHA1
40fe73f63ad3eee278f194c321419595f61dad91

SHA256
7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8

SHA512
c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
memory/108-81-0x00000000003C0000-0x00000000003F2000-memory.dmp

Filesize
200KB

Download
memory/108-78-0x0000000000000000-mapping.dmp

Download
memory/528-69-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/528-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/528-65-0x000000000055B000-0x000000000057A000-memory.dmp

Filesize
124KB

Download
memory/528-59-0x0000000000000000-mapping.dmp

Download
memory/860-70-0x0000000000000000-mapping.dmp

Download
memory/1160-85-0x0000000000000000-mapping.dmp

Download
memory/1164-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1164-63-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1164-62-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1164-61-0x000000000030B000-0x000000000032A000-memory.dmp

Filesize
124KB

Download
memory/1164-56-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1164-55-0x000000000030B000-0x000000000032A000-memory.dmp

Filesize
124KB

Download
memory/1280-67-0x0000000000000000-mapping.dmp

Download