Windows Analysis Report
q3oUuJIXkc.exe

Overview

General Information

Sample Name:	q3oUuJIXkc.exe
Analysis ID:	764037
MD5:	2239a58cc93fd94dc2806ce7f6af0a0b
SHA1:	f09eb7d69bc7440d3d45e14267236a78ac789fcb
SHA256:	682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
Tags:	32exetrojan
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Multi AV Scanner detection for submitted file

Yara detected Amadey bot

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Overwrites code with function prologues

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to evade analysis by execution special instruction (VM detection)

Tries to detect virtualization through RDTSC time measurements

Creates an undocumented autostart registry key

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to steal Instant Messenger accounts or passwords

PE file contains section with special chars

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Entry point lies outside standard sections

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Uses cacls to modify the permissions of files

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: q3oUuJIXkc.exe	Virustotal: Detection: 15%			Perma Link
Source: q3oUuJIXkc.exe	ReversingLabs: Detection: 35%

Antivirus detection for URL or domain

Source: http://85.209.135.109/jg94cVd30f/index.php?scr=1

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

ReversingLabs: Detection: 35%

Source: 12.2.gntuud.exe.1280000.0.unpack

Malware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}

Uses 32bit PE files

Source: q3oUuJIXkc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: q3oUuJIXkc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: q3oUuJIXkc.exe, gntuud.exe.0.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.4 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 85.209.135.109 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 85.209.135.109/jg94cVd30f/index.php

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php0
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php58e5d3
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php?scr=1
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpF
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpR
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpb
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpd3
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpj
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpv
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpz
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0

Creates a DirectInput object (often for capturing keystrokes)

Source: q3oUuJIXkc.exe, 00000000.00000002.324348201.000000000136A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

PE file contains section with special chars

Source: q3oUuJIXkc.exe	Static PE information: section name: lB@dO\ih
Source: q3oUuJIXkc.exe	Static PE information: section name: Fh?jG[OJ
Source: q3oUuJIXkc.exe	Static PE information: section name: qNR5:WbS
Source: q3oUuJIXkc.exe	Static PE information: section name: z?fd8ijJ
Source: q3oUuJIXkc.exe	Static PE information: section name: CV?7x>JO
Source: q3oUuJIXkc.exe	Static PE information: section name: dT<:EHzj
Source: q3oUuJIXkc.exe	Static PE information: section name: @]topACL
Source: gntuud.exe.0.dr	Static PE information: section name: lB@dO\ih
Source: gntuud.exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.0.dr	Static PE information: section name: qNR5:WbS
Source: gntuud.exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.0.dr	Static PE information: section name: CV?7x>JO
Source: gntuud.exe.0.dr	Static PE information: section name: dT<:EHzj
Source: gntuud.exe.0.dr	Static PE information: section name: @]topACL
Source: cred64[1].dll.1.dr	Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.1.dr	Static PE information: section name: zDthL)*@
Source: cred64[1].dll.1.dr	Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.1.dr	Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.1.dr	Static PE information: section name: Z-),j99t
Source: cred64[1].dll.1.dr	Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.1.dr	Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.1.dr	Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.1.dr	Static PE information: section name: Uh%r6i!H
Source: cred64.dll.1.dr	Static PE information: section name: f5g\gWe7
Source: cred64.dll.1.dr	Static PE information: section name: zDthL)*@
Source: cred64.dll.1.dr	Static PE information: section name: nb"h!m#Y
Source: cred64.dll.1.dr	Static PE information: section name: $^+<%+dU
Source: cred64.dll.1.dr	Static PE information: section name: Z-),j99t
Source: cred64.dll.1.dr	Static PE information: section name: 8"ikKHD[
Source: cred64.dll.1.dr	Static PE information: section name: k&l<0?<6
Source: cred64.dll.1.dr	Static PE information: section name: n[uZh3ex
Source: cred64.dll.1.dr	Static PE information: section name: Uh%r6i!H

Uses 32bit PE files

Source: q3oUuJIXkc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: q3oUuJIXkc.exe, 00000000.00000003.307486785.00000000012DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe, 00000000.00000002.324049922.0000000000B85000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe, 00000000.00000000.297381574.0000000000B85000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe	Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe

PE / OLE file has an invalid certificate

Source: q3oUuJIXkc.exe

Static PE information: invalid certificate

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll 8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe 682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811

Source: q3oUuJIXkc.exe	Virustotal: Detection: 15%
Source: q3oUuJIXkc.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

File read: C:\Users\user\Desktop\q3oUuJIXkc.exe

Jump to behavior

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\q3oUuJIXkc.exe C:\Users\user\Desktop\q3oUuJIXkc.exe
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E	Jump to behavior

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3

Jump to behavior

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

File created: C:\Users\user\AppData\Local\Temp\03bd543fce

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@24/9@0/2

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c

Source: q3oUuJIXkc.exe

Static file information: File size 7732440 > 1048576

Source: q3oUuJIXkc.exe

Static PE information: Raw size of EVjKc_MI is bigger than: 0x100000 < 0x6f7800

Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: q3oUuJIXkc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: q3oUuJIXkc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: q3oUuJIXkc.exe, gntuud.exe.0.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_04F5861C pushad ; ret		13_3_04F58829
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_04F5460E push eax; ret		13_3_04F54691

PE file contains sections with non-standard names

Source: q3oUuJIXkc.exe	Static PE information: section name: lB@dO\ih
Source: q3oUuJIXkc.exe	Static PE information: section name: Fh?jG[OJ
Source: q3oUuJIXkc.exe	Static PE information: section name: qNR5:WbS
Source: q3oUuJIXkc.exe	Static PE information: section name: z?fd8ijJ
Source: q3oUuJIXkc.exe	Static PE information: section name: CV?7x>JO
Source: q3oUuJIXkc.exe	Static PE information: section name: EVjKc_MI
Source: q3oUuJIXkc.exe	Static PE information: section name: dT<:EHzj
Source: q3oUuJIXkc.exe	Static PE information: section name: @]topACL
Source: gntuud.exe.0.dr	Static PE information: section name: lB@dO\ih
Source: gntuud.exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.0.dr	Static PE information: section name: qNR5:WbS
Source: gntuud.exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.0.dr	Static PE information: section name: CV?7x>JO
Source: gntuud.exe.0.dr	Static PE information: section name: EVjKc_MI
Source: gntuud.exe.0.dr	Static PE information: section name: dT<:EHzj
Source: gntuud.exe.0.dr	Static PE information: section name: @]topACL
Source: cred64[1].dll.1.dr	Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.1.dr	Static PE information: section name: zDthL)*@
Source: cred64[1].dll.1.dr	Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.1.dr	Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.1.dr	Static PE information: section name: Z-),j99t
Source: cred64[1].dll.1.dr	Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.1.dr	Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.1.dr	Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.1.dr	Static PE information: section name: Uh%r6i!H
Source: cred64.dll.1.dr	Static PE information: section name: f5g\gWe7
Source: cred64.dll.1.dr	Static PE information: section name: zDthL)*@
Source: cred64.dll.1.dr	Static PE information: section name: nb"h!m#Y
Source: cred64.dll.1.dr	Static PE information: section name: $^+<%+dU
Source: cred64.dll.1.dr	Static PE information: section name: Z-),j99t
Source: cred64.dll.1.dr	Static PE information: section name: 8"ikKHD[
Source: cred64.dll.1.dr	Static PE information: section name: k&l<0?<6
Source: cred64.dll.1.dr	Static PE information: section name: n[uZh3ex
Source: cred64.dll.1.dr	Static PE information: section name: Uh%r6i!H

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: EVjKc_MI

Persistence and Installation Behavior

Yara detected Amadey bot

Source: Yara match	File source: 00000001.00000003.350752206.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gntuud.exe PID: 5280, type: MEMORYSTR

Drops PE files

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	File created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Memory written: PID: 1780 base: 1150005 value: E9 FB 99 C1 76	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Memory written: PID: 1780 base: 77D69A00 value: E9 0A 66 3E 89	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Memory written: PID: 1780 base: 1170007 value: E9 7B 4C C3 76	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Memory written: PID: 1780 base: 77DA4C80 value: E9 8E B3 3C 89	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5280 base: CB0005 value: E9 FB 99 0B 77	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5280 base: 77D69A00 value: E9 0A 66 F4 88	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5280 base: CC0007 value: E9 7B 4C 0E 77	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5280 base: 77DA4C80 value: E9 8E B3 F1 88	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 2468 base: 1230005 value: E9 FB 99 B3 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 2468 base: 77D69A00 value: E9 0A 66 4C 89	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 2468 base: 1240007 value: E9 7B 4C B6 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 2468 base: 77DA4C80 value: E9 8E B3 49 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 9A0005 value: E9 FB 99 3C 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77D69A00 value: E9 0A 66 C3 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 9B0007 value: E9 7B 4C 3F 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77DA4C80 value: E9 8E B3 C0 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 9C0005 value: E9 FB BF 37 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77D3C000 value: E9 0A 40 C8 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 9E0008 value: E9 AB E0 39 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77D7E0B0 value: E9 60 1F C6 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: D00005 value: E9 CB 5A 8D 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 775D5AD0 value: E9 3A A5 72 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: D10005 value: E9 5B B0 8E 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 775FB060 value: E9 AA 4F 71 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: D20005 value: E9 DB F8 E0 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 74B2F8E0 value: E9 2A 07 1F 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 4EB0005 value: E9 FB 42 CA 6F	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 74B54300 value: E9 0A BD 35 90	Jump to behavior

Overwrites code with function prologues

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77D3C000 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 775D5AD0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 775FB060 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 74B2F8E0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 74B54300 value: 8B FF 55 8B EC	Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Special instruction interceptor: First address: 00000000006B25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Special instruction interceptor: First address: 00000000018C25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	RDTSC instruction interceptor: First address: 00000000006B25FE second address: 00000000006D33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F02DCAB0BC1h 0x00000008 call 00007F02DCA4F441h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F02DCC022DAh 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	RDTSC instruction interceptor: First address: 00000000018C25FE second address: 00000000018E33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F02DCDA5551h 0x00000008 call 00007F02DCD43DD1h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F02DCEF6C6Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000004CED526 second address: 0000000004CED559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5372	Thread sleep time: -870000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3176	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3312	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4992	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3312	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5372	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll

Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

System information queried: ModuleInformation

Jump to behavior

Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.4 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 85.209.135.109 80			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 12.2.gntuud.exe.1280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q3oUuJIXkc.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.315315946.0000000000071000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.379083563.0000000001281000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY

Yara detected Amadey bot

Source: Yara match	File source: 00000001.00000003.350752206.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gntuud.exe PID: 5280, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.209.135.109	unknown	Germany		33657	CMCSUS	true

Private

IP
192.168.2.4

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
85.209.135.109/jg94cVd30f/index.php	true	Avira URL Cloud: safe	low

AV Detection

Multi AV Scanner detection for submitted file

Source: q3oUuJIXkc.exe	Virustotal: Detection: 15%			Perma Link
Source: q3oUuJIXkc.exe	ReversingLabs: Detection: 35%

Antivirus detection for URL or domain

Source: http://85.209.135.109/jg94cVd30f/index.php?scr=1

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

ReversingLabs: Detection: 35%

Source: 12.2.gntuud.exe.1280000.0.unpack

Malware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}

Uses 32bit PE files

Source: q3oUuJIXkc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: q3oUuJIXkc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: q3oUuJIXkc.exe, gntuud.exe.0.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.4 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 85.209.135.109 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 85.209.135.109/jg94cVd30f/index.php

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php0
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php58e5d3
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php?scr=1
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpF
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpR
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpb
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpd3
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpj
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpv
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpz
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0

Creates a DirectInput object (often for capturing keystrokes)

Source: q3oUuJIXkc.exe, 00000000.00000002.324348201.000000000136A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

PE file contains section with special chars

Source: q3oUuJIXkc.exe	Static PE information: section name: lB@dO\ih
Source: q3oUuJIXkc.exe	Static PE information: section name: Fh?jG[OJ
Source: q3oUuJIXkc.exe	Static PE information: section name: qNR5:WbS
Source: q3oUuJIXkc.exe	Static PE information: section name: z?fd8ijJ
Source: q3oUuJIXkc.exe	Static PE information: section name: CV?7x>JO
Source: q3oUuJIXkc.exe	Static PE information: section name: dT<:EHzj
Source: q3oUuJIXkc.exe	Static PE information: section name: @]topACL
Source: gntuud.exe.0.dr	Static PE information: section name: lB@dO\ih
Source: gntuud.exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.0.dr	Static PE information: section name: qNR5:WbS
Source: gntuud.exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.0.dr	Static PE information: section name: CV?7x>JO
Source: gntuud.exe.0.dr	Static PE information: section name: dT<:EHzj
Source: gntuud.exe.0.dr	Static PE information: section name: @]topACL
Source: cred64[1].dll.1.dr	Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.1.dr	Static PE information: section name: zDthL)*@
Source: cred64[1].dll.1.dr	Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.1.dr	Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.1.dr	Static PE information: section name: Z-),j99t
Source: cred64[1].dll.1.dr	Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.1.dr	Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.1.dr	Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.1.dr	Static PE information: section name: Uh%r6i!H
Source: cred64.dll.1.dr	Static PE information: section name: f5g\gWe7
Source: cred64.dll.1.dr	Static PE information: section name: zDthL)*@
Source: cred64.dll.1.dr	Static PE information: section name: nb"h!m#Y
Source: cred64.dll.1.dr	Static PE information: section name: $^+<%+dU
Source: cred64.dll.1.dr	Static PE information: section name: Z-),j99t
Source: cred64.dll.1.dr	Static PE information: section name: 8"ikKHD[
Source: cred64.dll.1.dr	Static PE information: section name: k&l<0?<6
Source: cred64.dll.1.dr	Static PE information: section name: n[uZh3ex
Source: cred64.dll.1.dr	Static PE information: section name: Uh%r6i!H

Uses 32bit PE files

Source: q3oUuJIXkc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: q3oUuJIXkc.exe, 00000000.00000003.307486785.00000000012DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe, 00000000.00000002.324049922.0000000000B85000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe, 00000000.00000000.297381574.0000000000B85000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe	Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe

PE / OLE file has an invalid certificate

Source: q3oUuJIXkc.exe

Static PE information: invalid certificate

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll 8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe 682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811

Source: q3oUuJIXkc.exe	Virustotal: Detection: 15%
Source: q3oUuJIXkc.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

File read: C:\Users\user\Desktop\q3oUuJIXkc.exe

Jump to behavior

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\q3oUuJIXkc.exe C:\Users\user\Desktop\q3oUuJIXkc.exe
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E	Jump to behavior

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3

Jump to behavior

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

File created: C:\Users\user\AppData\Local\Temp\03bd543fce

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@24/9@0/2

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c

Source: q3oUuJIXkc.exe

Static file information: File size 7732440 > 1048576

Source: q3oUuJIXkc.exe

Static PE information: Raw size of EVjKc_MI is bigger than: 0x100000 < 0x6f7800

Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: q3oUuJIXkc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: q3oUuJIXkc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: q3oUuJIXkc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: q3oUuJIXkc.exe, gntuud.exe.0.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_04F5861C pushad ; ret		13_3_04F58829
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_04F5460E push eax; ret		13_3_04F54691

PE file contains sections with non-standard names

Source: q3oUuJIXkc.exe	Static PE information: section name: lB@dO\ih
Source: q3oUuJIXkc.exe	Static PE information: section name: Fh?jG[OJ
Source: q3oUuJIXkc.exe	Static PE information: section name: qNR5:WbS
Source: q3oUuJIXkc.exe	Static PE information: section name: z?fd8ijJ
Source: q3oUuJIXkc.exe	Static PE information: section name: CV?7x>JO
Source: q3oUuJIXkc.exe	Static PE information: section name: EVjKc_MI
Source: q3oUuJIXkc.exe	Static PE information: section name: dT<:EHzj
Source: q3oUuJIXkc.exe	Static PE information: section name: @]topACL
Source: gntuud.exe.0.dr	Static PE information: section name: lB@dO\ih
Source: gntuud.exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.0.dr	Static PE information: section name: qNR5:WbS
Source: gntuud.exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.0.dr	Static PE information: section name: CV?7x>JO
Source: gntuud.exe.0.dr	Static PE information: section name: EVjKc_MI
Source: gntuud.exe.0.dr	Static PE information: section name: dT<:EHzj
Source: gntuud.exe.0.dr	Static PE information: section name: @]topACL
Source: cred64[1].dll.1.dr	Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.1.dr	Static PE information: section name: zDthL)*@
Source: cred64[1].dll.1.dr	Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.1.dr	Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.1.dr	Static PE information: section name: Z-),j99t
Source: cred64[1].dll.1.dr	Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.1.dr	Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.1.dr	Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.1.dr	Static PE information: section name: Uh%r6i!H
Source: cred64.dll.1.dr	Static PE information: section name: f5g\gWe7
Source: cred64.dll.1.dr	Static PE information: section name: zDthL)*@
Source: cred64.dll.1.dr	Static PE information: section name: nb"h!m#Y
Source: cred64.dll.1.dr	Static PE information: section name: $^+<%+dU
Source: cred64.dll.1.dr	Static PE information: section name: Z-),j99t
Source: cred64.dll.1.dr	Static PE information: section name: 8"ikKHD[
Source: cred64.dll.1.dr	Static PE information: section name: k&l<0?<6
Source: cred64.dll.1.dr	Static PE information: section name: n[uZh3ex
Source: cred64.dll.1.dr	Static PE information: section name: Uh%r6i!H

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: EVjKc_MI

Persistence and Installation Behavior

Yara detected Amadey bot

Source: Yara match	File source: 00000001.00000003.350752206.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gntuud.exe PID: 5280, type: MEMORYSTR

Drops PE files

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	File created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Memory written: PID: 1780 base: 1150005 value: E9 FB 99 C1 76	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Memory written: PID: 1780 base: 77D69A00 value: E9 0A 66 3E 89	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Memory written: PID: 1780 base: 1170007 value: E9 7B 4C C3 76	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Memory written: PID: 1780 base: 77DA4C80 value: E9 8E B3 3C 89	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5280 base: CB0005 value: E9 FB 99 0B 77	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5280 base: 77D69A00 value: E9 0A 66 F4 88	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5280 base: CC0007 value: E9 7B 4C 0E 77	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5280 base: 77DA4C80 value: E9 8E B3 F1 88	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 2468 base: 1230005 value: E9 FB 99 B3 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 2468 base: 77D69A00 value: E9 0A 66 4C 89	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 2468 base: 1240007 value: E9 7B 4C B6 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 2468 base: 77DA4C80 value: E9 8E B3 49 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 9A0005 value: E9 FB 99 3C 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77D69A00 value: E9 0A 66 C3 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 9B0007 value: E9 7B 4C 3F 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77DA4C80 value: E9 8E B3 C0 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 9C0005 value: E9 FB BF 37 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77D3C000 value: E9 0A 40 C8 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 9E0008 value: E9 AB E0 39 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77D7E0B0 value: E9 60 1F C6 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: D00005 value: E9 CB 5A 8D 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 775D5AD0 value: E9 3A A5 72 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: D10005 value: E9 5B B0 8E 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 775FB060 value: E9 AA 4F 71 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: D20005 value: E9 DB F8 E0 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 74B2F8E0 value: E9 2A 07 1F 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 4EB0005 value: E9 FB 42 CA 6F	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 74B54300 value: E9 0A BD 35 90	Jump to behavior

Overwrites code with function prologues

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 77D3C000 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 775D5AD0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 775FB060 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 74B2F8E0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4828 base: 74B54300 value: 8B FF 55 8B EC	Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Special instruction interceptor: First address: 00000000006B25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Special instruction interceptor: First address: 00000000018C25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	RDTSC instruction interceptor: First address: 00000000006B25FE second address: 00000000006D33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F02DCAB0BC1h 0x00000008 call 00007F02DCA4F441h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F02DCC022DAh 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	RDTSC instruction interceptor: First address: 00000000018C25FE second address: 00000000018E33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F02DCDA5551h 0x00000008 call 00007F02DCD43DD1h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F02DCEF6C6Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000004CED526 second address: 0000000004CED559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5372	Thread sleep time: -870000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3176	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3312	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4992	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3312	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5372	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll

Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

System information queried: ModuleInformation

Jump to behavior

Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.4 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 85.209.135.109 80			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\q3oUuJIXkc.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 12.2.gntuud.exe.1280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q3oUuJIXkc.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.315315946.0000000000071000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.379083563.0000000001281000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY

Yara detected Amadey bot

Source: Yara match	File source: 00000001.00000003.350752206.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gntuud.exe PID: 5280, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Jump to behavior

ID:	764037
Product:	CloudBasic
Start time:	10:52:09
Start date:	09.12.2022
Sample:	q3oUuJIXkc.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2239a58cc93fd94dc2806ce7f6af0a0b
SHA1:	f09eb7d69bc7440d3d45e14267236a78ac789fcb
SHA256:	682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2B62E02B3581980EE5A1DDA42FA4F3FE	5C36BFA4A4973E8F694D5C077E7312B1C991AEDF	8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2239A58CC93FD94DC2806CE7F6AF0A0B	F09EB7D69BC7440D3D45E14267236A78AC789FCB	682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\853321935212	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3	BC1FA342F0AE360EA815BF64C71D503E	929ACB54CBF1E6B6C495A8768F694804FA0ECED1	5722B2526976E9C37277C435D09080C9CEBA052922B306A694D4EA0CCB1ABDFA
C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2B62E02B3581980EE5A1DDA42FA4F3FE	5C36BFA4A4973E8F694D5C077E7312B1C991AEDF	8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
\Device\ConDrv	ASCII text, with no line terminators	509B054634B6DE74F111C3E646BC80FD	99B4C0F39144A92FE42E22473A2A2552FB16BD13	07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36

Windows Analysis Report
q3oUuJIXkc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report q3oUuJIXkc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
q3oUuJIXkc.exe