amadey | 41918b4a3dacbcbbc2151efa5208315fd0aaecf08575b19bb74ab16f60df6fb1

General

Target

fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe
Size

281KB
MD5

af991d7c2db58e42549976ccb36e5cc7
SHA1

748c8a3a47d7331df0fc2f25a4e891161ec11c2d
SHA256

fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa
SHA512

d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a
SSDEEP

6144:hYPLCzXNHJFXbYGq2x5whJ4X5R158YXeIeYC8o13azHk5o:hg2zXHFXEGqAwhaXXXXeZaQ

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.61

C2

62.204.41.79/U7vfDb3kg/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e55-147.dat	amadey_cred_module
behavioral2/memory/3204-150-0x00000000007B0000-0x00000000007D4000-memory.dmp	amadey_cred_module
behavioral2/files/0x0007000000022e55-149.dat	amadey_cred_module
behavioral2/files/0x0007000000022e55-148.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	3204	rundll32.exe

Executes dropped EXE 4 IoCs

pid	Process
4324	gntuud.exe
4216	gntuud.exe
1044	gntuud.exe
3948	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe

Loads dropped DLL 2 IoCs

pid	Process
3204	rundll32.exe
3204	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2416	3440	WerFault.exe	80
4640	4216	WerFault.exe	86
4020	1044	WerFault.exe	97
1632	3948	WerFault.exe	100

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4324	3440	fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe	81
PID 3440 wrote to memory of 4324	3440	fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe	81
PID 3440 wrote to memory of 4324	3440	fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe	81
PID 4324 wrote to memory of 4304	4324	gntuud.exe	84
PID 4324 wrote to memory of 4304	4324	gntuud.exe	84
PID 4324 wrote to memory of 4304	4324	gntuud.exe	84
PID 4324 wrote to memory of 3204	4324	gntuud.exe	96
PID 4324 wrote to memory of 3204	4324	gntuud.exe	96
PID 4324 wrote to memory of 3204	4324	gntuud.exe	96

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe
"C:\Users\Admin\AppData\Local\Temp\fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4304
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:3204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1132
  2⤵
  - Program crash
  PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3440 -ip 3440
1⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
1⤵
- Executes dropped EXE
PID:4216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 316
  2⤵
  - Program crash
  PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4216 -ip 4216
1⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
1⤵
- Executes dropped EXE
PID:1044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 188
  2⤵
  - Program crash
  PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1044 -ip 1044
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
1⤵
- Executes dropped EXE
PID:3948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 316
  2⤵
  - Program crash
  PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3948 -ip 3948
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
281KB

MD5
af991d7c2db58e42549976ccb36e5cc7

SHA1
748c8a3a47d7331df0fc2f25a4e891161ec11c2d

SHA256
fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

SHA512
d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
281KB

MD5
af991d7c2db58e42549976ccb36e5cc7

SHA1
748c8a3a47d7331df0fc2f25a4e891161ec11c2d

SHA256
fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

SHA512
d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
281KB

MD5
af991d7c2db58e42549976ccb36e5cc7

SHA1
748c8a3a47d7331df0fc2f25a4e891161ec11c2d

SHA256
fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

SHA512
d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
281KB

MD5
af991d7c2db58e42549976ccb36e5cc7

SHA1
748c8a3a47d7331df0fc2f25a4e891161ec11c2d

SHA256
fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

SHA512
d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
281KB

MD5
af991d7c2db58e42549976ccb36e5cc7

SHA1
748c8a3a47d7331df0fc2f25a4e891161ec11c2d

SHA256
fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

SHA512
d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
af364df1b3d1011a1e53cc43a0f47931

SHA1
40a1afe04bb41b40c0369ac5d4707fc74583d2a3

SHA256
3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

SHA512
e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
af364df1b3d1011a1e53cc43a0f47931

SHA1
40a1afe04bb41b40c0369ac5d4707fc74583d2a3

SHA256
3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

SHA512
e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
af364df1b3d1011a1e53cc43a0f47931

SHA1
40a1afe04bb41b40c0369ac5d4707fc74583d2a3

SHA256
3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

SHA512
e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

Download Submit
memory/1044-153-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1044-152-0x00000000004CD000-0x00000000004EC000-memory.dmp

Filesize
124KB

Download
memory/3204-146-0x0000000000000000-mapping.dmp

Download
memory/3204-150-0x00000000007B0000-0x00000000007D4000-memory.dmp

Filesize
144KB

Download
memory/3440-139-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3440-133-0x00000000008F0000-0x000000000092C000-memory.dmp

Filesize
240KB

Download
memory/3440-134-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3440-132-0x000000000080A000-0x0000000000828000-memory.dmp

Filesize
120KB

Download
memory/3440-138-0x000000000080A000-0x0000000000828000-memory.dmp

Filesize
120KB

Download
memory/3948-155-0x00000000005BD000-0x00000000005DC000-memory.dmp

Filesize
124KB

Download
memory/3948-156-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3948-157-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4216-144-0x000000000063D000-0x000000000065C000-memory.dmp

Filesize
124KB

Download
memory/4216-145-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4304-140-0x0000000000000000-mapping.dmp

Download
memory/4324-141-0x000000000060B000-0x0000000000629000-memory.dmp

Filesize
120KB

Download
memory/4324-142-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4324-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads