amadey | bbdf6fa992c7b4af6c838007a88af77b0fa4202cc894cddb75f55f623a79a877

Analysis

max time kernel
116s
max time network
130s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
17/12/2022, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

273KB
MD5

47760f0b6871e4b571ed5303d9cbe183
SHA1

34769f3ddf05f99ab6c96cc174a884084a6a3e25
SHA256

bbdf6fa992c7b4af6c838007a88af77b0fa4202cc894cddb75f55f623a79a877
SHA512

5966ca19f7a997c82445a06db684d80b372a8857d2ba685feab293ceeeb08c6fd03e805f26bf9581e9cc05cf28e0609487d19777fc30a89766774147edd542e1
SSDEEP

6144:/oLdVLHHr8qw3eIeVzUOhXy8mjO8g3CUU0V6:QL7DL8n3leb/bS5O

Score

10^/10

amadey redline nokia upadated.999 collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.61

62.204.41.79/r8Bsje3/index.php

Extracted

Family

redline

Botnet

Upadated.999

185.106.92.214:27015

Attributes

auth_value
a6d503c1c63820e9c4a9b5de84087f3f

Extracted

Family

redline

Botnet

nokia

31.41.244.198:4083

Attributes

auth_value
3b38e056d594ae0cf1368e6e1daa3a4e

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 5 IoCs

resource	yara_rule
behavioral1/files/0x00070000000139ed-99.dat	amadey_cred_module
behavioral1/files/0x00070000000139ed-100.dat	amadey_cred_module
behavioral1/files/0x00070000000139ed-101.dat	amadey_cred_module
behavioral1/files/0x00070000000139ed-102.dat	amadey_cred_module
behavioral1/files/0x00070000000139ed-103.dat	amadey_cred_module

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/1944-81-0x0000000002040000-0x0000000002086000-memory.dmp	family_redline
behavioral1/memory/1944-82-0x00000000047C0000-0x0000000004804000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2004	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1776	gntuud.exe
1944	joker.exe
1888	anon.exe
1556	gntuud.exe
1392	gntuud.exe

Loads dropped DLL 9 IoCs

pid	Process
1468	file.exe
1468	file.exe
1776	gntuud.exe
1776	gntuud.exe
1776	gntuud.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\joker.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001051\\joker.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\anon.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002051\\anon.exe"	gntuud.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1888	anon.exe
1888	anon.exe
1944	joker.exe
1944	joker.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	joker.exe
Token: SeDebugPrivilege	1888	anon.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1776	1468	file.exe	27
PID 1468 wrote to memory of 1776	1468	file.exe	27
PID 1468 wrote to memory of 1776	1468	file.exe	27
PID 1468 wrote to memory of 1776	1468	file.exe	27
PID 1776 wrote to memory of 1276	1776	gntuud.exe	28
PID 1776 wrote to memory of 1276	1776	gntuud.exe	28
PID 1776 wrote to memory of 1276	1776	gntuud.exe	28
PID 1776 wrote to memory of 1276	1776	gntuud.exe	28
PID 1776 wrote to memory of 1944	1776	gntuud.exe	32
PID 1776 wrote to memory of 1944	1776	gntuud.exe	32
PID 1776 wrote to memory of 1944	1776	gntuud.exe	32
PID 1776 wrote to memory of 1944	1776	gntuud.exe	32
PID 1776 wrote to memory of 1888	1776	gntuud.exe	33
PID 1776 wrote to memory of 1888	1776	gntuud.exe	33
PID 1776 wrote to memory of 1888	1776	gntuud.exe	33
PID 1776 wrote to memory of 1888	1776	gntuud.exe	33
PID 1352 wrote to memory of 1556	1352	taskeng.exe	36
PID 1352 wrote to memory of 1556	1352	taskeng.exe	36
PID 1352 wrote to memory of 1556	1352	taskeng.exe	36
PID 1352 wrote to memory of 1556	1352	taskeng.exe	36
PID 1776 wrote to memory of 2004	1776	gntuud.exe	37
PID 1776 wrote to memory of 2004	1776	gntuud.exe	37
PID 1776 wrote to memory of 2004	1776	gntuud.exe	37
PID 1776 wrote to memory of 2004	1776	gntuud.exe	37
PID 1776 wrote to memory of 2004	1776	gntuud.exe	37
PID 1776 wrote to memory of 2004	1776	gntuud.exe	37
PID 1776 wrote to memory of 2004	1776	gntuud.exe	37
PID 1352 wrote to memory of 1392	1352	taskeng.exe	38
PID 1352 wrote to memory of 1392	1352	taskeng.exe	38
PID 1352 wrote to memory of 1392	1352	taskeng.exe	38
PID 1352 wrote to memory of 1392	1352	taskeng.exe	38

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\1000001051\joker.exe
    "C:\Users\Admin\AppData\Local\Temp\1000001051\joker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\1000002051\anon.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002051\anon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:2004

C:\Windows\system32\taskeng.exe
taskeng.exe {B51608ED-5E5F-418B-B3E7-E0BFD3EDE92F} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
  C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
  C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
  2⤵
  - Executes dropped EXE
  PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001051\joker.exe

Filesize
333KB

MD5
326da97d2b41992feb7d93927c5898b7

SHA1
c991dc8e8fc3fa70bb0d1227dc94ce56efff488b

SHA256
3aea52e0abe2310c261cf6faece42f308fdda969e1e0685dc86cfdc030cd597a

SHA512
a76a4f20c18807835d13d3517bbb102a5ef4157a570fe5aa37d2c53ff23b3993ff8a48c639c54a5f8c4b158dd0bd40cf5648e218fb4b6fb4cf3eb7f89bb456df

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002051\anon.exe

Filesize
335KB

MD5
246ef065801c2aaac08b7c1c74e4b8bf

SHA1
5c15a2f7a8465a020d1ce72191bb2db76f969130

SHA256
b844e3f70697b36557704833f491b8c19bfb683fe5e03c4bb488039c8c0e6422

SHA512
2ad6be07d6e82678e01295ce3949b41cdf9e3a34ba6685d7400e776e612c1420a5e649cd5e17a31fb79254beb0b21a88337f4f282cd21a52e17a76fcc4ce39bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002051\anon.exe

Filesize
335KB

MD5
246ef065801c2aaac08b7c1c74e4b8bf

SHA1
5c15a2f7a8465a020d1ce72191bb2db76f969130

SHA256
b844e3f70697b36557704833f491b8c19bfb683fe5e03c4bb488039c8c0e6422

SHA512
2ad6be07d6e82678e01295ce3949b41cdf9e3a34ba6685d7400e776e612c1420a5e649cd5e17a31fb79254beb0b21a88337f4f282cd21a52e17a76fcc4ce39bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe

Filesize
273KB

MD5
47760f0b6871e4b571ed5303d9cbe183

SHA1
34769f3ddf05f99ab6c96cc174a884084a6a3e25

SHA256
bbdf6fa992c7b4af6c838007a88af77b0fa4202cc894cddb75f55f623a79a877

SHA512
5966ca19f7a997c82445a06db684d80b372a8857d2ba685feab293ceeeb08c6fd03e805f26bf9581e9cc05cf28e0609487d19777fc30a89766774147edd542e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe

Filesize
273KB

MD5
47760f0b6871e4b571ed5303d9cbe183

SHA1
34769f3ddf05f99ab6c96cc174a884084a6a3e25

SHA256
bbdf6fa992c7b4af6c838007a88af77b0fa4202cc894cddb75f55f623a79a877

SHA512
5966ca19f7a997c82445a06db684d80b372a8857d2ba685feab293ceeeb08c6fd03e805f26bf9581e9cc05cf28e0609487d19777fc30a89766774147edd542e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe

Filesize
273KB

MD5
47760f0b6871e4b571ed5303d9cbe183

SHA1
34769f3ddf05f99ab6c96cc174a884084a6a3e25

SHA256
bbdf6fa992c7b4af6c838007a88af77b0fa4202cc894cddb75f55f623a79a877

SHA512
5966ca19f7a997c82445a06db684d80b372a8857d2ba685feab293ceeeb08c6fd03e805f26bf9581e9cc05cf28e0609487d19777fc30a89766774147edd542e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe

Filesize
273KB

MD5
47760f0b6871e4b571ed5303d9cbe183

SHA1
34769f3ddf05f99ab6c96cc174a884084a6a3e25

SHA256
bbdf6fa992c7b4af6c838007a88af77b0fa4202cc894cddb75f55f623a79a877

SHA512
5966ca19f7a997c82445a06db684d80b372a8857d2ba685feab293ceeeb08c6fd03e805f26bf9581e9cc05cf28e0609487d19777fc30a89766774147edd542e1

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
2499af3cae193bfde304401dcc0e0f88

SHA1
1bfdec793c338421809d00bdd36e9135cf858d7f

SHA256
0e943fdd8ab511a067276a911f9f9a2271771331d47d428b0f740c55d1baa0a7

SHA512
13e3cc3d5296fecb18b47aa72957a43f851ef798be534dbd3995bd38508861efd8f879b86456f09341a817fc0b50a93233ca05bc0ffda949fac85c27c8e451c0

Download Submit
\Users\Admin\AppData\Local\Temp\1000001051\joker.exe

Filesize
333KB

MD5
326da97d2b41992feb7d93927c5898b7

SHA1
c991dc8e8fc3fa70bb0d1227dc94ce56efff488b

SHA256
3aea52e0abe2310c261cf6faece42f308fdda969e1e0685dc86cfdc030cd597a

SHA512
a76a4f20c18807835d13d3517bbb102a5ef4157a570fe5aa37d2c53ff23b3993ff8a48c639c54a5f8c4b158dd0bd40cf5648e218fb4b6fb4cf3eb7f89bb456df

Download Submit
\Users\Admin\AppData\Local\Temp\1000001051\joker.exe

Filesize
333KB

MD5
326da97d2b41992feb7d93927c5898b7

SHA1
c991dc8e8fc3fa70bb0d1227dc94ce56efff488b

SHA256
3aea52e0abe2310c261cf6faece42f308fdda969e1e0685dc86cfdc030cd597a

SHA512
a76a4f20c18807835d13d3517bbb102a5ef4157a570fe5aa37d2c53ff23b3993ff8a48c639c54a5f8c4b158dd0bd40cf5648e218fb4b6fb4cf3eb7f89bb456df

Download Submit
\Users\Admin\AppData\Local\Temp\1000002051\anon.exe

Filesize
335KB

MD5
246ef065801c2aaac08b7c1c74e4b8bf

SHA1
5c15a2f7a8465a020d1ce72191bb2db76f969130

SHA256
b844e3f70697b36557704833f491b8c19bfb683fe5e03c4bb488039c8c0e6422

SHA512
2ad6be07d6e82678e01295ce3949b41cdf9e3a34ba6685d7400e776e612c1420a5e649cd5e17a31fb79254beb0b21a88337f4f282cd21a52e17a76fcc4ce39bd

Download Submit
\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe

Filesize
273KB

MD5
47760f0b6871e4b571ed5303d9cbe183

SHA1
34769f3ddf05f99ab6c96cc174a884084a6a3e25

SHA256
bbdf6fa992c7b4af6c838007a88af77b0fa4202cc894cddb75f55f623a79a877

SHA512
5966ca19f7a997c82445a06db684d80b372a8857d2ba685feab293ceeeb08c6fd03e805f26bf9581e9cc05cf28e0609487d19777fc30a89766774147edd542e1

Download Submit
\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe

Filesize
273KB

MD5
47760f0b6871e4b571ed5303d9cbe183

SHA1
34769f3ddf05f99ab6c96cc174a884084a6a3e25

SHA256
bbdf6fa992c7b4af6c838007a88af77b0fa4202cc894cddb75f55f623a79a877

SHA512
5966ca19f7a997c82445a06db684d80b372a8857d2ba685feab293ceeeb08c6fd03e805f26bf9581e9cc05cf28e0609487d19777fc30a89766774147edd542e1

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
2499af3cae193bfde304401dcc0e0f88

SHA1
1bfdec793c338421809d00bdd36e9135cf858d7f

SHA256
0e943fdd8ab511a067276a911f9f9a2271771331d47d428b0f740c55d1baa0a7

SHA512
13e3cc3d5296fecb18b47aa72957a43f851ef798be534dbd3995bd38508861efd8f879b86456f09341a817fc0b50a93233ca05bc0ffda949fac85c27c8e451c0

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
2499af3cae193bfde304401dcc0e0f88

SHA1
1bfdec793c338421809d00bdd36e9135cf858d7f

SHA256
0e943fdd8ab511a067276a911f9f9a2271771331d47d428b0f740c55d1baa0a7

SHA512
13e3cc3d5296fecb18b47aa72957a43f851ef798be534dbd3995bd38508861efd8f879b86456f09341a817fc0b50a93233ca05bc0ffda949fac85c27c8e451c0

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
2499af3cae193bfde304401dcc0e0f88

SHA1
1bfdec793c338421809d00bdd36e9135cf858d7f

SHA256
0e943fdd8ab511a067276a911f9f9a2271771331d47d428b0f740c55d1baa0a7

SHA512
13e3cc3d5296fecb18b47aa72957a43f851ef798be534dbd3995bd38508861efd8f879b86456f09341a817fc0b50a93233ca05bc0ffda949fac85c27c8e451c0

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
2499af3cae193bfde304401dcc0e0f88

SHA1
1bfdec793c338421809d00bdd36e9135cf858d7f

SHA256
0e943fdd8ab511a067276a911f9f9a2271771331d47d428b0f740c55d1baa0a7

SHA512
13e3cc3d5296fecb18b47aa72957a43f851ef798be534dbd3995bd38508861efd8f879b86456f09341a817fc0b50a93233ca05bc0ffda949fac85c27c8e451c0

Download Submit
memory/1392-109-0x0000000000548000-0x0000000000567000-memory.dmp

Filesize
124KB

Download
memory/1392-110-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1392-107-0x0000000000548000-0x0000000000567000-memory.dmp

Filesize
124KB

Download
memory/1468-61-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/1468-60-0x0000000000508000-0x0000000000527000-memory.dmp

Filesize
124KB

Download
memory/1468-62-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1468-54-0x0000000000508000-0x0000000000527000-memory.dmp

Filesize
124KB

Download
memory/1468-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1556-96-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1556-95-0x00000000004F8000-0x0000000000517000-memory.dmp

Filesize
124KB

Download
memory/1556-93-0x00000000004F8000-0x0000000000517000-memory.dmp

Filesize
124KB

Download
memory/1776-67-0x00000000005C8000-0x00000000005E7000-memory.dmp

Filesize
124KB

Download
memory/1776-88-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1776-87-0x00000000005C8000-0x00000000005E7000-memory.dmp

Filesize
124KB

Download
memory/1776-63-0x00000000005C8000-0x00000000005E7000-memory.dmp

Filesize
124KB

Download
memory/1776-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1888-78-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/1888-77-0x0000000000220000-0x000000000027A000-memory.dmp

Filesize
360KB

Download
memory/1944-86-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1944-81-0x0000000002040000-0x0000000002086000-memory.dmp

Filesize
280KB

Download
memory/1944-79-0x0000000000538000-0x0000000000567000-memory.dmp

Filesize
188KB

Download
memory/1944-82-0x00000000047C0000-0x0000000004804000-memory.dmp

Filesize
272KB

Download
memory/1944-84-0x0000000000538000-0x0000000000567000-memory.dmp

Filesize
188KB

Download
memory/1944-85-0x00000000002D0000-0x000000000031B000-memory.dmp

Filesize
300KB

Download
memory/1944-89-0x0000000000538000-0x0000000000567000-memory.dmp

Filesize
188KB

Download
memory/1944-90-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2004-104-0x0000000000131000-0x000000000014B000-memory.dmp

Filesize
104KB

Download