Behavioral task
behavioral1
Sample
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
Resource
win10v2004-20241007-en
General
-
Target
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
-
Size
431KB
-
MD5
4962575a2378d5c72e7a836ea766e2ad
-
SHA1
549964178b12017622d3cbdda6dbfdef0904e7e2
-
SHA256
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
-
SHA512
911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53
-
SSDEEP
12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb
Malware Config
Extracted
amadey
5.10
0f3be6
http://185.81.68.147
http://185.81.68.148
-
install_dir
ee29ea508b
-
install_file
Gxtuum.exe
-
strings_key
d3a5912ea69ad34a2387af70c8be9e21
-
url_paths
/7vhfjke3/index.php
/8Fvu5jh4DbS/index.php
Signatures
-
Amadey family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
Files
-
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe.exe windows:6 windows x86 arch:x86
407b29a1346b818a12b66f58555063ce
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
GetFileAttributesA
Process32NextW
CreateFileA
Process32FirstW
CloseHandle
GetSystemInfo
CreateThread
GetThreadContext
GetProcAddress
GetLastError
RemoveDirectoryA
ReadProcessMemory
CreateProcessA
CreateDirectoryA
SetThreadContext
SetEndOfFile
HeapSize
GetProcessHeap
SetEnvironmentVariableW
Wow64RevertWow64FsRedirection
GetTempPathA
Sleep
CreateToolhelp32Snapshot
OpenProcess
SetCurrentDirectoryA
GetModuleHandleA
ResumeThread
GetComputerNameExW
GetVersionExW
WaitForSingleObject
CreateMutexA
FindClose
PeekNamedPipe
CreatePipe
FindNextFileA
VirtualAlloc
Wow64DisableWow64FsRedirection
WriteFile
VirtualFree
FindFirstFileA
SetHandleInformation
WriteProcessMemory
GetModuleFileNameA
VirtualAllocEx
ReadFile
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
GetTimeZoneInformation
HeapReAlloc
ReadConsoleW
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
DeleteFileW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
HeapAlloc
HeapFree
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
SetFilePointerEx
GetFileSizeEx
GetCommandLineW
GetCommandLineA
GetStdHandle
GetModuleFileNameW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetFileType
GetFileInformationByHandle
GetDriveTypeW
CreateFileW
RaiseException
GetCurrentThreadId
IsProcessorFeaturePresent
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetModuleHandleExW
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
InitOnceComplete
InitOnceBeginInitialize
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
TryEnterCriticalSection
DeleteCriticalSection
WaitForSingleObjectEx
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetModuleHandleW
EncodePointer
DecodePointer
MultiByteToWideChar
WideCharToMultiByte
LCMapStringEx
GetStringTypeW
GetCPInfo
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
RtlUnwind
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
WriteConsoleW
user32
GetSystemMetrics
ReleaseDC
GetDC
gdi32
CreateCompatibleBitmap
SelectObject
CreateCompatibleDC
DeleteObject
BitBlt
advapi32
RevertToSelf
RegCloseKey
RegQueryInfoKeyW
RegGetValueA
RegQueryValueExA
GetSidSubAuthorityCount
GetSidSubAuthority
GetUserNameA
CreateProcessWithTokenW
LookupAccountNameA
ImpersonateLoggedOnUser
RegSetValueExA
OpenProcessToken
RegOpenKeyExA
RegEnumValueA
DuplicateTokenEx
GetSidIdentifierAuthority
shell32
SHGetFolderPathA
ShellExecuteA
SHFileOperationA
ole32
CoUninitialize
CoCreateInstance
CoInitialize
wininet
HttpOpenRequestA
InternetWriteFile
InternetOpenUrlA
InternetOpenW
HttpEndRequestW
HttpAddRequestHeadersA
HttpSendRequestExA
InternetOpenA
InternetCloseHandle
HttpSendRequestA
InternetConnectA
InternetReadFile
gdiplus
GdiplusStartup
GdipSaveImageToFile
GdipGetImageEncodersSize
GdiplusShutdown
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
ws2_32
closesocket
inet_pton
getaddrinfo
WSAStartup
send
socket
connect
recv
htons
freeaddrinfo
Sections
.text Size: 318KB - Virtual size: 318KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 82KB - Virtual size: 82KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 11KB - Virtual size: 27KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 512B - Virtual size: 480B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 17KB - Virtual size: 17KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ