Behavioral task
behavioral1
Sample
rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe
Resource
win10v2004-20250502-en
General
-
Target
rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27
-
Size
416KB
-
MD5
79875579217d38930dfe270fd7e14df1
-
SHA1
64138d4d9e4e6615ae74083e14726bcd90e88ff9
-
SHA256
3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27
-
SHA512
e52c0a297a36d11af497c1531427b8674c7f3de67cf277855e3685e5e5a28febb7effa68864b521b324c32b4fa253a394c1e05f7893847e4c7167d94fac6ccc3
-
SSDEEP
6144:ZPUIrO0NCh31Alxujw54YsnLiO1ptnvT0lAkuW8GUi/83FrPKoTIf504AO4n2/jd:ZPUIrO0NChSlMw4vn7T0lAnW8BKhj
Malware Config
Extracted
amadey
5.50
c3c3ff
http://196.251.85.220
-
install_dir
fd7d287510
-
install_file
nudwee.exe
-
strings_key
3872399e63d63a78b38475d9142cabc0
-
url_paths
/E3jv8fS9b/index.php
Signatures
-
Amadey family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27
Files
-
rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe windows:6 windows x86 arch:x86
1e7280afbf80c2800b272220ce0718da
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
CreateFileA
Process32FirstW
CloseHandle
GetSystemInfo
CreateThread
GetThreadContext
GetProcAddress
VirtualAllocEx
CreateToolhelp32Snapshot
Process32NextW
CreateProcessA
CreateDirectoryA
SetThreadContext
SetEndOfFile
HeapSize
GetProcessHeap
SetEnvironmentVariableW
Sleep
GetFileAttributesA
GetLastError
Wow64RevertWow64FsRedirection
GetTempPathA
ReadProcessMemory
SetCurrentDirectoryA
OpenProcess
GetModuleHandleA
ResumeThread
GetComputerNameExW
GetVersionExW
WaitForSingleObject
CreateMutexA
PeekNamedPipe
CreatePipe
VirtualAlloc
Wow64DisableWow64FsRedirection
WriteFile
VirtualFree
SetHandleInformation
WriteProcessMemory
GetModuleFileNameA
RemoveDirectoryA
ReadFile
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetTimeZoneInformation
HeapReAlloc
ReadConsoleW
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
DeleteFileW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
HeapAlloc
HeapFree
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
SetFilePointerEx
GetFileSizeEx
GetCommandLineW
GetCommandLineA
GetStdHandle
GetModuleFileNameW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetFileType
GetFileInformationByHandle
GetDriveTypeW
RaiseException
GetCurrentThreadId
IsProcessorFeaturePresent
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetModuleHandleExW
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
InitOnceComplete
InitOnceBeginInitialize
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
TryEnterCriticalSection
DeleteCriticalSection
WaitForSingleObjectEx
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetModuleHandleW
EncodePointer
DecodePointer
MultiByteToWideChar
WideCharToMultiByte
LCMapStringEx
GetStringTypeW
GetCPInfo
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
RtlUnwind
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
CreateFileW
WriteConsoleW
user32
GetSystemMetrics
ReleaseDC
GetDC
gdi32
BitBlt
CreateCompatibleBitmap
SelectObject
CreateCompatibleDC
DeleteObject
advapi32
RevertToSelf
RegCloseKey
RegQueryInfoKeyW
RegGetValueA
RegQueryValueExA
GetSidSubAuthorityCount
GetSidSubAuthority
GetUserNameA
LookupAccountNameA
ImpersonateLoggedOnUser
RegSetValueExA
OpenProcessToken
RegOpenKeyExA
RegEnumValueA
DuplicateTokenEx
GetSidIdentifierAuthority
shell32
SHGetFolderPathA
ShellExecuteA
SHFileOperationA
ole32
CoUninitialize
CoCreateInstance
CoInitialize
wininet
HttpOpenRequestA
InternetWriteFile
InternetOpenUrlA
InternetOpenW
HttpEndRequestW
HttpAddRequestHeadersA
HttpSendRequestExA
InternetOpenA
InternetCloseHandle
HttpSendRequestA
InternetConnectA
InternetReadFile
gdiplus
GdiplusStartup
GdipSaveImageToFile
GdipGetImageEncodersSize
GdiplusShutdown
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
ws2_32
closesocket
inet_pton
getaddrinfo
WSAStartup
send
socket
connect
recv
htons
freeaddrinfo
Sections
.text Size: 311KB - Virtual size: 310KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 78KB - Virtual size: 78KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 8KB - Virtual size: 24KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 512B - Virtual size: 480B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 16KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ