Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 764029
MD5: 2396925cc38be4f07bd426cf080256ce
SHA1: 8884e5383b3601e59089f0d287acad1eff20c676
SHA256: e91bb1f7c2b2ffd094d3915f1fffbfe929efd49e1d732b51d60e8a378a8a066b
Tags: exe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Amadeys stealer DLL
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Amadey bot
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Drops PE files
Contains functionality to read the PEB
Contains functionality to launch a program with higher privileges
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll_ Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll= Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/index.php Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/index.php8 Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll) Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/index.phpplay Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll Virustotal: Detection: 18% Perma Link
Source: http://77.73.133.72/hfk3vK9/index.php Virustotal: Detection: 9% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Avira: detection malicious, Label: HEUR/AGEN.1233121
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll ReversingLabs: Detection: 88%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Joe Sandbox ML: detected
Source: 0.2.file.exe.900e67.1.unpack Malware Configuration Extractor: Amadey {"C2 url": "77.73.133.72/hfk3vK9/index.php", "Version": "3.50"}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Unpacked PE file: 4.2.gntuud.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: file.exe, file.exe, 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.256458471.0000000000940000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, gntuud.exe, gntuud.exe, 00000004.00000003.312159954.0000000000940000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: C:\wabuj\8-vuca\fomehibarayar-zejegogotu94\guyo\veceradaro\fev.pdb source: file.exe, gntuud.exe.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00420BA6 FindFirstFileExW, 0_2_00420BA6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00920E0D FindFirstFileExW, 0_2_00920E0D
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00420BA6 FindFirstFileExW, 4_2_00420BA6

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 77.73.133.72/hfk3vK9/index.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS43260TR AS43260TR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.73.133.72 77.73.133.72
Source: gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll
Source: gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll)
Source: gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll=
Source: gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll_
Source: gntuud.exe, 00000001.00000003.293349447.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.73.133.72/hfk3vK9/index.php
Source: gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.73.133.72/hfk3vK9/index.php8
Source: gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.73.133.72/hfk3vK9/index.phpplay
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404180 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00404180
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402C70 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown, 0_2_00402C70

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.259666135.00000000005D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.313412358.0000000000745000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.259666135.00000000005D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.313412358.0000000000745000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CBD0 0_2_0040CBD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00429470 0_2_00429470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042848D 0_2_0042848D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00432890 0_2_00432890
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009296D7 0_2_009296D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009286F4 0_2_009286F4
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00429470 4_2_00429470
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_0042848D 4_2_0042848D
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00432890 4_2_00432890
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_0040CBD0 4_2_0040CBD0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00418C40 appears 40 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00416F50 appears 130 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00918EA7 appears 33 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 009171B7 appears 125 times
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: String function: 00416F50 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: String function: 00418C40 appears 40 times
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Process Stats: CPU usage > 98%
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll 5CD41F164DE6F783B7DA82B5F6DBD49413ECCD87CC7470F2004D58CA081FB0E0
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe File created: C:\Users\user\AppData\Roaming\f49dfc5e4e2508 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\ecaac49691 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/4@0/1
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00746356 CreateToolhelp32Snapshot,Module32First, 4_2_00746356
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Mutant created: \Sessions\1\BaseNamedObjects\f49dfc5e4e2508eabedc241a3f1ae459
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: file.exe, file.exe, 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.256458471.0000000000940000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, gntuud.exe, gntuud.exe, 00000004.00000003.312159954.0000000000940000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: C:\wabuj\8-vuca\fomehibarayar-zejegogotu94\guyo\veceradaro\fev.pdb source: file.exe, gntuud.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Unpacked PE file: 4.2.gntuud.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.wuve:R;.bedicar:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Unpacked PE file: 4.2.gntuud.exe.400000.0.unpack .text:ER;.data:W;.wuve:R;.bedicar:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418C86 push ecx; ret 0_2_00418C99
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00418C86 push ecx; ret 4_2_00418C99
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_0074B3E8 push 54850227h; ret 4_2_0074B441
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_0074951B push cs; ret 4_2_00749537
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .wuve
Source: file.exe Static PE information: section name: .bedicar
Source: gntuud.exe.0.dr Static PE information: section name: .wuve
Source: gntuud.exe.0.dr Static PE information: section name: .bedicar

Persistence and Installation Behavior
barindex
Yara detected Amadey bot
Source: Yara match File source: 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gntuud.exe PID: 2016, type: MEMORYSTR
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 1948 Thread sleep time: -690000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 5260 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 5324 Thread sleep time: -1620000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 5252 Thread sleep time: -1080000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 5324 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 1948 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 3.8 %
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe API coverage: 4.7 %
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo, 0_2_00405400
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00420BA6 FindFirstFileExW, 0_2_00420BA6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00920E0D FindFirstFileExW, 0_2_00920E0D
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00420BA6 FindFirstFileExW, 4_2_00420BA6
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Thread delayed: delay time: 30000 Jump to behavior
Source: gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWA
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00418A67
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004037D0 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree, 0_2_004037D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041B901 mov eax, dword ptr fs:[00000030h] 0_2_0041B901
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041DF02 mov eax, dword ptr fs:[00000030h] 0_2_0041DF02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0090092B mov eax, dword ptr fs:[00000030h] 0_2_0090092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0091E169 mov eax, dword ptr fs:[00000030h] 0_2_0091E169
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0091BB68 mov eax, dword ptr fs:[00000030h] 0_2_0091BB68
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00900D90 mov eax, dword ptr fs:[00000030h] 0_2_00900D90
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_0041B901 mov eax, dword ptr fs:[00000030h] 4_2_0041B901
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_0041DF02 mov eax, dword ptr fs:[00000030h] 4_2_0041DF02
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00745C33 push dword ptr fs:[00000030h] 4_2_00745C33
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00418163
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00418A67
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041CA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418BCC SetUnhandledExceptionFilter, 0_2_00418BCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009183CA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_009183CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00918CCE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00918CCE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0091CCE7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0091CCE7
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00418163
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00418A67
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0041CA80
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Code function: 4_2_00418BCC SetUnhandledExceptionFilter, 4_2_00418BCC

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403F40 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree, 0_2_00403F40
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404350 ShellExecuteA, 0_2_00404350
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Roaming\f49dfc5e4e2508\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418887 cpuid 0_2_00418887
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418CA1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00418CA1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00424BC4 _free,_free,_free,GetTimeZoneInformation,_free, 0_2_00424BC4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo, 0_2_00405400
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CBD0 GetUserNameA,SetCurrentDirectoryA,GetFileAttributesA,CreateDirectoryA,GetFileAttributesA,GetModuleFileNameA,SetCurrentDirectoryA,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument, 0_2_0040CBD0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 4.2.gntuud.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.gntuud.exe.6e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gntuud.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.900e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.gntuud.exe.6e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.gntuud.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.gntuud.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.gntuud.exe.680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.gntuud.exe.940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.900e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.293480849.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.271178795.0000000000680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.312159954.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.256458471.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gntuud.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED
Yara detected Amadey bot
Source: Yara match File source: 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gntuud.exe PID: 2016, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764029 Sample: file.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 6 other signatures 2->45 8 file.exe 4 2->8         started        12 gntuud.exe 2->12         started        process3 file4 23 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 8->23 dropped 25 C:\Users\user\...\gntuud.exe:Zone.Identifier, ASCII 8->25 dropped 47 Detected unpacking (changes PE section rights) 8->47 49 Detected unpacking (overwrites its own PE header) 8->49 51 Contains functionality to inject code into remote processes 8->51 14 gntuud.exe 18 8->14         started        signatures5 process6 dnsIp7 29 77.73.133.72 AS43260TR Kazakhstan 14->29 27 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 14->27 dropped 31 Detected unpacking (changes PE section rights) 14->31 33 Detected unpacking (overwrites its own PE header) 14->33 35 Creates an undocumented autostart registry key 14->35 37 2 other signatures 14->37 19 schtasks.exe 1 14->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.73.133.72
 unknown Kazakhstan
43260 AS43260TR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
77.73.133.72/hfk3vK9/index.php true
  • URL Reputation: safe
 low