amadey | 440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

Analysis

max time kernel
105s
max time network
129s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

331KB
MD5

008a0ba6dce7fc04132a2e11096c822c
SHA1

4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256

440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA512

65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
SSDEEP

6144:NCHVs7DyEPUAQwU8KxZsNdlJbR2gOjIDcgeVS:NC1ODxPUAwxYP1JdDcgeVS

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

31.41.244.167/v7eWcjs/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
behavioral1/memory/1940-81-0x00000000001D0000-0x00000000001F4000-memory.dmp	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

5 1940 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

gntuud.exegntuud.exegntuud.exe

pid process

1432 gntuud.exe
1948 gntuud.exe
1556 gntuud.exe
Loads dropped DLL 6 IoCs

Processes:

file.exerundll32.exe

pid process

604 file.exe
604 file.exe
1940 rundll32.exe
1940 rundll32.exe
1940 rundll32.exe
1940 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
5	1940	rundll32.exe

pid	process
1432	gntuud.exe
1948	gntuud.exe
1556	gntuud.exe

pid	process
604	file.exe
604	file.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1792 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1940 rundll32.exe
1940 rundll32.exe
1940 rundll32.exe
1940 rundll32.exe

pid	process
1792	schtasks.exe

pid	process
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

file.exegntuud.exetaskeng.exe

description	pid	process	target process
PID 604 wrote to memory of 1432	604	file.exe	gntuud.exe
PID 604 wrote to memory of 1432	604	file.exe	gntuud.exe
PID 604 wrote to memory of 1432	604	file.exe	gntuud.exe
PID 604 wrote to memory of 1432	604	file.exe	gntuud.exe
PID 1432 wrote to memory of 1792	1432	gntuud.exe	schtasks.exe
PID 1432 wrote to memory of 1792	1432	gntuud.exe	schtasks.exe
PID 1432 wrote to memory of 1792	1432	gntuud.exe	schtasks.exe
PID 1432 wrote to memory of 1792	1432	gntuud.exe	schtasks.exe
PID 1732 wrote to memory of 1948	1732	taskeng.exe	gntuud.exe
PID 1732 wrote to memory of 1948	1732	taskeng.exe	gntuud.exe
PID 1732 wrote to memory of 1948	1732	taskeng.exe	gntuud.exe
PID 1732 wrote to memory of 1948	1732	taskeng.exe	gntuud.exe
PID 1432 wrote to memory of 1940	1432	gntuud.exe	rundll32.exe
PID 1432 wrote to memory of 1940	1432	gntuud.exe	rundll32.exe
PID 1432 wrote to memory of 1940	1432	gntuud.exe	rundll32.exe
PID 1432 wrote to memory of 1940	1432	gntuud.exe	rundll32.exe
PID 1432 wrote to memory of 1940	1432	gntuud.exe	rundll32.exe
PID 1432 wrote to memory of 1940	1432	gntuud.exe	rundll32.exe
PID 1432 wrote to memory of 1940	1432	gntuud.exe	rundll32.exe
PID 1732 wrote to memory of 1556	1732	taskeng.exe	gntuud.exe
PID 1732 wrote to memory of 1556	1732	taskeng.exe	gntuud.exe
PID 1732 wrote to memory of 1556	1732	taskeng.exe	gntuud.exe
PID 1732 wrote to memory of 1556	1732	taskeng.exe	gntuud.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:1792

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1940

C:\Windows\system32\taskeng.exe
taskeng.exe {3D2CD713-0D2F-4CA3-9200-71C40195EE59} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
2⤵
- Executes dropped EXE
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
331KB

MD5
008a0ba6dce7fc04132a2e11096c822c

SHA1
4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

SHA256
440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

SHA512
65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
331KB

MD5
008a0ba6dce7fc04132a2e11096c822c

SHA1
4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

SHA256
440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

SHA512
65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
331KB

MD5
008a0ba6dce7fc04132a2e11096c822c

SHA1
4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

SHA256
440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

SHA512
65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
331KB

MD5
008a0ba6dce7fc04132a2e11096c822c

SHA1
4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

SHA256
440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

SHA512
65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

Download Submit
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
331KB

MD5
008a0ba6dce7fc04132a2e11096c822c

SHA1
4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

SHA256
440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

SHA512
65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

Download Submit
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
331KB

MD5
008a0ba6dce7fc04132a2e11096c822c

SHA1
4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5

SHA256
440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90

SHA512
65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
memory/604-61-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/604-60-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/604-59-0x00000000008FB000-0x000000000091A000-memory.dmp

Filesize
124KB

Download
memory/1432-67-0x000000000028B000-0x00000000002AA000-memory.dmp

Filesize
124KB

Download
memory/1432-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1432-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1432-57-0x0000000000000000-mapping.dmp

Download
memory/1432-65-0x000000000028B000-0x00000000002AA000-memory.dmp

Filesize
124KB

Download
memory/1556-86-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1556-85-0x000000000059B000-0x00000000005BA000-memory.dmp

Filesize
124KB

Download
memory/1556-82-0x0000000000000000-mapping.dmp

Download
memory/1792-63-0x0000000000000000-mapping.dmp

Download
memory/1940-81-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/1940-74-0x0000000000000000-mapping.dmp

Download
memory/1948-72-0x000000000059B000-0x00000000005BA000-memory.dmp

Filesize
124KB

Download
memory/1948-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1948-69-0x0000000000000000-mapping.dmp

Download