amadey | 8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e

General

Target

8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e.exe
Size

421KB
MD5

c28ad2b3a26a87e8eb693cc04fe39b1f
SHA1

fe8227995655473907f9c5db98ad05ba76d0dc23
SHA256

8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e
SHA512

f6fc0726378fb630517924fa339e1771c3be5c78f95055e6c4f45979557c986b584973f4b900acdd4d44c4c2b56eeda135021a706a6c5f6347c6c820eee5b39b
SSDEEP

6144:NW08L/UkubieUhou9fWYJHuobWnicoGGqWcoBlCb4oFMM4aVe:NwTUkubieG9W0u7nFqcWCXMx3

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.133.72/hfk3vK9/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

resource	yara_rule
behavioral1/files/0x0004000000022e0e-149.dat	amadey_cred_module
behavioral1/memory/4252-152-0x0000000000630000-0x0000000000654000-memory.dmp	amadey_cred_module
behavioral1/files/0x0004000000022e0e-151.dat	amadey_cred_module
behavioral1/files/0x0004000000022e0e-150.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
41	4252	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3304	gntuud.exe
3724	gntuud.exe
4624	gntuud.exe
1160	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 2 IoCs

pid	Process
4252	rundll32.exe
4252	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4976	3392	WerFault.exe	54
2264	3724	WerFault.exe	92
2548	4624	WerFault.exe	97
3508	1160	WerFault.exe	100

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 3304	3392	8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e.exe	80
PID 3392 wrote to memory of 3304	3392	8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e.exe	80
PID 3392 wrote to memory of 3304	3392	8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e.exe	80
PID 3304 wrote to memory of 1324	3304	gntuud.exe	84
PID 3304 wrote to memory of 1324	3304	gntuud.exe	84
PID 3304 wrote to memory of 1324	3304	gntuud.exe	84
PID 3304 wrote to memory of 4252	3304	gntuud.exe	96
PID 3304 wrote to memory of 4252	3304	gntuud.exe	96
PID 3304 wrote to memory of 4252	3304	gntuud.exe	96

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e.exe
"C:\Users\Admin\AppData\Local\Temp\8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1324
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:4252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 900
  2⤵
  - Program crash
  PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3392 -ip 3392
1⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe
1⤵
- Executes dropped EXE
PID:3724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 416
  2⤵
  - Program crash
  PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3724 -ip 3724
1⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe
1⤵
- Executes dropped EXE
PID:4624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 440
  2⤵
  - Program crash
  PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4624 -ip 4624
1⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe
1⤵
- Executes dropped EXE
PID:1160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 416
  2⤵
  - Program crash
  PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1160 -ip 1160
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe

Filesize
421KB

MD5
c28ad2b3a26a87e8eb693cc04fe39b1f

SHA1
fe8227995655473907f9c5db98ad05ba76d0dc23

SHA256
8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e

SHA512
f6fc0726378fb630517924fa339e1771c3be5c78f95055e6c4f45979557c986b584973f4b900acdd4d44c4c2b56eeda135021a706a6c5f6347c6c820eee5b39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe

Filesize
421KB

MD5
c28ad2b3a26a87e8eb693cc04fe39b1f

SHA1
fe8227995655473907f9c5db98ad05ba76d0dc23

SHA256
8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e

SHA512
f6fc0726378fb630517924fa339e1771c3be5c78f95055e6c4f45979557c986b584973f4b900acdd4d44c4c2b56eeda135021a706a6c5f6347c6c820eee5b39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe

Filesize
421KB

MD5
c28ad2b3a26a87e8eb693cc04fe39b1f

SHA1
fe8227995655473907f9c5db98ad05ba76d0dc23

SHA256
8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e

SHA512
f6fc0726378fb630517924fa339e1771c3be5c78f95055e6c4f45979557c986b584973f4b900acdd4d44c4c2b56eeda135021a706a6c5f6347c6c820eee5b39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe

Filesize
421KB

MD5
c28ad2b3a26a87e8eb693cc04fe39b1f

SHA1
fe8227995655473907f9c5db98ad05ba76d0dc23

SHA256
8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e

SHA512
f6fc0726378fb630517924fa339e1771c3be5c78f95055e6c4f45979557c986b584973f4b900acdd4d44c4c2b56eeda135021a706a6c5f6347c6c820eee5b39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe

Filesize
421KB

MD5
c28ad2b3a26a87e8eb693cc04fe39b1f

SHA1
fe8227995655473907f9c5db98ad05ba76d0dc23

SHA256
8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e

SHA512
f6fc0726378fb630517924fa339e1771c3be5c78f95055e6c4f45979557c986b584973f4b900acdd4d44c4c2b56eeda135021a706a6c5f6347c6c820eee5b39b

Download Submit
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll

Filesize
126KB

MD5
349b2b47fef50fa6a1fc19d0ee4b2db8

SHA1
077f4328b3f060a9f010b1a63d9e127d24ddafd4

SHA256
5cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0

SHA512
83fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773

Download Submit
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll

Filesize
126KB

MD5
349b2b47fef50fa6a1fc19d0ee4b2db8

SHA1
077f4328b3f060a9f010b1a63d9e127d24ddafd4

SHA256
5cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0

SHA512
83fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773

Download Submit
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll

Filesize
126KB

MD5
349b2b47fef50fa6a1fc19d0ee4b2db8

SHA1
077f4328b3f060a9f010b1a63d9e127d24ddafd4

SHA256
5cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0

SHA512
83fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773

Download Submit
memory/1160-158-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1160-157-0x000000000066A000-0x0000000000689000-memory.dmp

Filesize
124KB

Download
memory/3304-144-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3304-143-0x0000000000616000-0x0000000000635000-memory.dmp

Filesize
124KB

Download
memory/3304-142-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3304-141-0x0000000000616000-0x0000000000635000-memory.dmp

Filesize
124KB

Download
memory/3392-138-0x0000000000687000-0x00000000006A6000-memory.dmp

Filesize
124KB

Download
memory/3392-139-0x00000000005F0000-0x000000000062E000-memory.dmp

Filesize
248KB

Download
memory/3392-132-0x0000000000687000-0x00000000006A6000-memory.dmp

Filesize
124KB

Download
memory/3392-137-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3392-133-0x00000000005F0000-0x000000000062E000-memory.dmp

Filesize
248KB

Download
memory/3724-147-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3724-146-0x00000000004EA000-0x0000000000509000-memory.dmp

Filesize
124KB

Download
memory/4252-152-0x0000000000630000-0x0000000000654000-memory.dmp

Filesize
144KB

Download
memory/4624-154-0x000000000055A000-0x0000000000579000-memory.dmp

Filesize
124KB

Download
memory/4624-155-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads