amadey | dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2

Analysis

max time kernel
124s
max time network
166s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe
Size

380KB
MD5

f990042d798722b3990094c81f0acfc9
SHA1

680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f
SHA256

dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2
SHA512

77a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052
SSDEEP

6144:JzOPJKVhoUOCDQo7aBfmwvPN4eUYPO79Dxymlgl9WfaG1PI:JzOPE+URNWOYNdUrVyWgldG

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

31.41.244.167/v7eWcjs/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
behavioral1/memory/1408-84-0x0000000000240000-0x0000000000264000-memory.dmp	amadey_cred_module
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

5 1408 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

gntuud.exegntuud.exegntuud.exe

pid process

1108 gntuud.exe
824 gntuud.exe
1104 gntuud.exe

flow	pid	process
5	1408	rundll32.exe

pid	process
1108	gntuud.exe
824	gntuud.exe
1104	gntuud.exe

Loads dropped DLL 6 IoCs

Processes:

dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exerundll32.exe

pid	process
960	dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe
960	dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1600 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1408 rundll32.exe
1408 rundll32.exe
1408 rundll32.exe
1408 rundll32.exe

pid	process
1600	schtasks.exe

pid	process
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exegntuud.exetaskeng.exe

description	pid	process	target process
PID 960 wrote to memory of 1108	960	dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe	gntuud.exe
PID 960 wrote to memory of 1108	960	dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe	gntuud.exe
PID 960 wrote to memory of 1108	960	dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe	gntuud.exe
PID 960 wrote to memory of 1108	960	dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe	gntuud.exe
PID 1108 wrote to memory of 1600	1108	gntuud.exe	schtasks.exe
PID 1108 wrote to memory of 1600	1108	gntuud.exe	schtasks.exe
PID 1108 wrote to memory of 1600	1108	gntuud.exe	schtasks.exe
PID 1108 wrote to memory of 1600	1108	gntuud.exe	schtasks.exe
PID 564 wrote to memory of 824	564	taskeng.exe	gntuud.exe
PID 564 wrote to memory of 824	564	taskeng.exe	gntuud.exe
PID 564 wrote to memory of 824	564	taskeng.exe	gntuud.exe
PID 564 wrote to memory of 824	564	taskeng.exe	gntuud.exe
PID 1108 wrote to memory of 1408	1108	gntuud.exe	rundll32.exe
PID 1108 wrote to memory of 1408	1108	gntuud.exe	rundll32.exe
PID 1108 wrote to memory of 1408	1108	gntuud.exe	rundll32.exe
PID 1108 wrote to memory of 1408	1108	gntuud.exe	rundll32.exe
PID 1108 wrote to memory of 1408	1108	gntuud.exe	rundll32.exe
PID 1108 wrote to memory of 1408	1108	gntuud.exe	rundll32.exe
PID 1108 wrote to memory of 1408	1108	gntuud.exe	rundll32.exe
PID 564 wrote to memory of 1104	564	taskeng.exe	gntuud.exe
PID 564 wrote to memory of 1104	564	taskeng.exe	gntuud.exe
PID 564 wrote to memory of 1104	564	taskeng.exe	gntuud.exe
PID 564 wrote to memory of 1104	564	taskeng.exe	gntuud.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe
"C:\Users\Admin\AppData\Local\Temp\dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:1600

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1408

C:\Windows\system32\taskeng.exe
taskeng.exe {D4C5A827-FA2F-41B6-9125-E2899B29676E} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
2⤵
- Executes dropped EXE
PID:824

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
2⤵
- Executes dropped EXE
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
380KB

MD5
f990042d798722b3990094c81f0acfc9

SHA1
680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f

SHA256
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2

SHA512
77a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
380KB

MD5
f990042d798722b3990094c81f0acfc9

SHA1
680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f

SHA256
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2

SHA512
77a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
380KB

MD5
f990042d798722b3990094c81f0acfc9

SHA1
680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f

SHA256
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2

SHA512
77a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
380KB

MD5
f990042d798722b3990094c81f0acfc9

SHA1
680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f

SHA256
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2

SHA512
77a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052

Download Submit
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
380KB

MD5
f990042d798722b3990094c81f0acfc9

SHA1
680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f

SHA256
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2

SHA512
77a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052

Download Submit
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
Filesize
380KB

MD5
f990042d798722b3990094c81f0acfc9

SHA1
680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f

SHA256
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2

SHA512
77a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll
Filesize
126KB

MD5
aebf8cd9ea982decded5ee6f3777c6d7

SHA1
406e723158cd5697503d1d04839d3bc7a5051603

SHA256
104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

SHA512
f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981

Download Submit
memory/824-76-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/824-75-0x00000000005C8000-0x00000000005E7000-memory.dmp

Filesize
124KB

Download
memory/824-73-0x00000000005C8000-0x00000000005E7000-memory.dmp

Filesize
124KB

Download
memory/824-71-0x0000000000000000-mapping.dmp

Download
memory/960-62-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/960-61-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/960-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/960-60-0x00000000002C8000-0x00000000002E7000-memory.dmp

Filesize
124KB

Download
memory/960-54-0x00000000002C8000-0x00000000002E7000-memory.dmp

Filesize
124KB

Download
memory/1104-90-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1104-89-0x0000000000568000-0x0000000000587000-memory.dmp

Filesize
124KB

Download
memory/1104-87-0x0000000000568000-0x0000000000587000-memory.dmp

Filesize
124KB

Download
memory/1104-85-0x0000000000000000-mapping.dmp

Download
memory/1108-65-0x00000000005B8000-0x00000000005D7000-memory.dmp

Filesize
124KB

Download
memory/1108-63-0x00000000005B8000-0x00000000005D7000-memory.dmp

Filesize
124KB

Download
memory/1108-58-0x0000000000000000-mapping.dmp

Download
memory/1108-70-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1108-66-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1108-69-0x00000000005B8000-0x00000000005D7000-memory.dmp

Filesize
124KB

Download
memory/1408-84-0x0000000000240000-0x0000000000264000-memory.dmp

Filesize
144KB

Download
memory/1408-77-0x0000000000000000-mapping.dmp

Download
memory/1600-67-0x0000000000000000-mapping.dmp

Download