amadey | 4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e

Analysis

max time kernel
103s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2022, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e.exe
Size

273KB
MD5

3e90989e2a9a34857f70da15ee1652b6
SHA1

a2e3e3379ca53c83938e6de1969fc94ea335b1d9
SHA256

4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e
SHA512

b1af8e356c588ea2171a2b5b7e12d140bef72e70a1cf719c8758f9fd8a656e79b96f745d1c276c533f06933323d976d16b867f4e4494bfc83a6bc6f66af4821c
SSDEEP

6144:QeLIqyQroN3oxtCSJxajTMC+cgq1jlVklPH:Qe8qnohoxwSJxavbp1FlU

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

31.41.244.237/jg94cVd30f/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e23-156.dat	amadey_cred_module
behavioral2/files/0x0006000000022e23-157.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
37	440	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3084	gntuud.exe
4464	gntuud.exe
5096	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 1 IoCs

pid	Process
440	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
8	4848	WerFault.exe	79
476	4464	WerFault.exe	101
2788	5096	WerFault.exe	105

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
440	rundll32.exe
440	rundll32.exe
440	rundll32.exe
440	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3084	4848	4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e.exe	80
PID 4848 wrote to memory of 3084	4848	4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e.exe	80
PID 4848 wrote to memory of 3084	4848	4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e.exe	80
PID 3084 wrote to memory of 3112	3084	gntuud.exe	86
PID 3084 wrote to memory of 3112	3084	gntuud.exe	86
PID 3084 wrote to memory of 3112	3084	gntuud.exe	86
PID 3084 wrote to memory of 5104	3084	gntuud.exe	88
PID 3084 wrote to memory of 5104	3084	gntuud.exe	88
PID 3084 wrote to memory of 5104	3084	gntuud.exe	88
PID 5104 wrote to memory of 2968	5104	cmd.exe	91
PID 5104 wrote to memory of 2968	5104	cmd.exe	91
PID 5104 wrote to memory of 2968	5104	cmd.exe	91
PID 5104 wrote to memory of 2256	5104	cmd.exe	92
PID 5104 wrote to memory of 2256	5104	cmd.exe	92
PID 5104 wrote to memory of 2256	5104	cmd.exe	92
PID 5104 wrote to memory of 1940	5104	cmd.exe	93
PID 5104 wrote to memory of 1940	5104	cmd.exe	93
PID 5104 wrote to memory of 1940	5104	cmd.exe	93
PID 5104 wrote to memory of 4012	5104	cmd.exe	94
PID 5104 wrote to memory of 4012	5104	cmd.exe	94
PID 5104 wrote to memory of 4012	5104	cmd.exe	94
PID 5104 wrote to memory of 2944	5104	cmd.exe	95
PID 5104 wrote to memory of 2944	5104	cmd.exe	95
PID 5104 wrote to memory of 2944	5104	cmd.exe	95
PID 5104 wrote to memory of 2244	5104	cmd.exe	96
PID 5104 wrote to memory of 2244	5104	cmd.exe	96
PID 5104 wrote to memory of 2244	5104	cmd.exe	96
PID 3084 wrote to memory of 440	3084	gntuud.exe	104
PID 3084 wrote to memory of 440	3084	gntuud.exe	104
PID 3084 wrote to memory of 440	3084	gntuud.exe	104

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e.exe
"C:\Users\Admin\AppData\Local\Temp\4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "gntuud.exe" /P "Admin:N"
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "gntuud.exe" /P "Admin:R" /E
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9c69749b54" /P "Admin:N"
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9c69749b54" /P "Admin:R" /E
      4⤵
      PID:2244
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 908
  2⤵
  - Program crash
  PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4848 -ip 4848
1⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
1⤵
- Executes dropped EXE
PID:4464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 416
  2⤵
  - Program crash
  PID:476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4464 -ip 4464
1⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
1⤵
- Executes dropped EXE
PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 416
  2⤵
  - Program crash
  PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5096 -ip 5096
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
3e90989e2a9a34857f70da15ee1652b6

SHA1
a2e3e3379ca53c83938e6de1969fc94ea335b1d9

SHA256
4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e

SHA512
b1af8e356c588ea2171a2b5b7e12d140bef72e70a1cf719c8758f9fd8a656e79b96f745d1c276c533f06933323d976d16b867f4e4494bfc83a6bc6f66af4821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
3e90989e2a9a34857f70da15ee1652b6

SHA1
a2e3e3379ca53c83938e6de1969fc94ea335b1d9

SHA256
4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e

SHA512
b1af8e356c588ea2171a2b5b7e12d140bef72e70a1cf719c8758f9fd8a656e79b96f745d1c276c533f06933323d976d16b867f4e4494bfc83a6bc6f66af4821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
3e90989e2a9a34857f70da15ee1652b6

SHA1
a2e3e3379ca53c83938e6de1969fc94ea335b1d9

SHA256
4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e

SHA512
b1af8e356c588ea2171a2b5b7e12d140bef72e70a1cf719c8758f9fd8a656e79b96f745d1c276c533f06933323d976d16b867f4e4494bfc83a6bc6f66af4821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe

Filesize
273KB

MD5
3e90989e2a9a34857f70da15ee1652b6

SHA1
a2e3e3379ca53c83938e6de1969fc94ea335b1d9

SHA256
4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e

SHA512
b1af8e356c588ea2171a2b5b7e12d140bef72e70a1cf719c8758f9fd8a656e79b96f745d1c276c533f06933323d976d16b867f4e4494bfc83a6bc6f66af4821c

Download Submit
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll

Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
memory/3084-142-0x00000000004C3000-0x00000000004E2000-memory.dmp

Filesize
124KB

Download
memory/3084-151-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3084-144-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3084-150-0x00000000004C3000-0x00000000004E2000-memory.dmp

Filesize
124KB

Download
memory/4464-153-0x0000000000614000-0x0000000000633000-memory.dmp

Filesize
124KB

Download
memory/4464-154-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4848-132-0x0000000000612000-0x0000000000631000-memory.dmp

Filesize
124KB

Download
memory/4848-139-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4848-138-0x0000000000612000-0x0000000000631000-memory.dmp

Filesize
124KB

Download
memory/4848-134-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4848-133-0x00000000020E0000-0x000000000211E000-memory.dmp

Filesize
248KB

Download
memory/5096-159-0x0000000000734000-0x0000000000753000-memory.dmp

Filesize
124KB

Download
memory/5096-160-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download