Windows Analysis Report
q3oUuJIXkc.exe

Overview

General Information

Sample Name: q3oUuJIXkc.exe
Analysis ID: 764037
MD5: 2239a58cc93fd94dc2806ce7f6af0a0b
SHA1: f09eb7d69bc7440d3d45e14267236a78ac789fcb
SHA256: 682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
Tags: 32exetrojan
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Uses cacls to modify the permissions of files
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: q3oUuJIXkc.exe Virustotal: Detection: 15% Perma Link
Source: q3oUuJIXkc.exe ReversingLabs: Detection: 35%
Antivirus detection for URL or domain
Source: http://85.209.135.109/jg94cVd30f/index.php?scr=1 Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe ReversingLabs: Detection: 35%
Source: 12.2.gntuud.exe.1280000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}
Uses 32bit PE files
Source: q3oUuJIXkc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: q3oUuJIXkc.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: q3oUuJIXkc.exe, gntuud.exe.0.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.168.2.4 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 85.209.135.109 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.209.135.109/jg94cVd30f/index.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php0
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php58e5d3
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php?scr=1
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpF
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpR
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpb
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpd3
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpj
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpv
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpz
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr String found in binary or memory: https://sectigo.com/CPS0
Creates a DirectInput object (often for capturing keystrokes)
Source: q3oUuJIXkc.exe, 00000000.00000002.324348201.000000000136A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
PE file contains section with special chars
Source: q3oUuJIXkc.exe Static PE information: section name: lB@dO\ih
Source: q3oUuJIXkc.exe Static PE information: section name: Fh?jG[OJ
Source: q3oUuJIXkc.exe Static PE information: section name: qNR5:WbS
Source: q3oUuJIXkc.exe Static PE information: section name: z?fd8ijJ
Source: q3oUuJIXkc.exe Static PE information: section name: CV?7x>JO
Source: q3oUuJIXkc.exe Static PE information: section name: dT<:EHzj
Source: q3oUuJIXkc.exe Static PE information: section name: @]topACL
Source: gntuud.exe.0.dr Static PE information: section name: lB@dO\ih
Source: gntuud.exe.0.dr Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.0.dr Static PE information: section name: qNR5:WbS
Source: gntuud.exe.0.dr Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.0.dr Static PE information: section name: CV?7x>JO
Source: gntuud.exe.0.dr Static PE information: section name: dT<:EHzj
Source: gntuud.exe.0.dr Static PE information: section name: @]topACL
Source: cred64[1].dll.1.dr Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.1.dr Static PE information: section name: zDthL)*@
Source: cred64[1].dll.1.dr Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.1.dr Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.1.dr Static PE information: section name: Z-),j99t
Source: cred64[1].dll.1.dr Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.1.dr Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.1.dr Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.1.dr Static PE information: section name: Uh%r6i!H
Source: cred64.dll.1.dr Static PE information: section name: f5g\gWe7
Source: cred64.dll.1.dr Static PE information: section name: zDthL)*@
Source: cred64.dll.1.dr Static PE information: section name: nb"h!m#Y
Source: cred64.dll.1.dr Static PE information: section name: $^+<%+dU
Source: cred64.dll.1.dr Static PE information: section name: Z-),j99t
Source: cred64.dll.1.dr Static PE information: section name: 8"ikKHD[
Source: cred64.dll.1.dr Static PE information: section name: k&l<0?<6
Source: cred64.dll.1.dr Static PE information: section name: n[uZh3ex
Source: cred64.dll.1.dr Static PE information: section name: Uh%r6i!H
Uses 32bit PE files
Source: q3oUuJIXkc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: q3oUuJIXkc.exe, 00000000.00000003.307486785.00000000012DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe, 00000000.00000002.324049922.0000000000B85000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe, 00000000.00000000.297381574.0000000000B85000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
Source: q3oUuJIXkc.exe Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe
PE / OLE file has an invalid certificate
Source: q3oUuJIXkc.exe Static PE information: invalid certificate
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll 8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe 682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
Source: q3oUuJIXkc.exe Virustotal: Detection: 15%
Source: q3oUuJIXkc.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe File read: C:\Users\user\Desktop\q3oUuJIXkc.exe Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\q3oUuJIXkc.exe C:\Users\user\Desktop\q3oUuJIXkc.exe
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3 Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe File created: C:\Users\user\AppData\Local\Temp\03bd543fce Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@24/9@0/2
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c
Source: q3oUuJIXkc.exe Static file information: File size 7732440 > 1048576
Source: q3oUuJIXkc.exe Static PE information: Raw size of EVjKc_MI is bigger than: 0x100000 < 0x6f7800
Source: q3oUuJIXkc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: q3oUuJIXkc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: q3oUuJIXkc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: q3oUuJIXkc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: q3oUuJIXkc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: q3oUuJIXkc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: q3oUuJIXkc.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: q3oUuJIXkc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: q3oUuJIXkc.exe, gntuud.exe.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_3_04F5861C pushad ; ret 13_3_04F58829
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_3_04F5460E push eax; ret 13_3_04F54691
PE file contains sections with non-standard names
Source: q3oUuJIXkc.exe Static PE information: section name: lB@dO\ih
Source: q3oUuJIXkc.exe Static PE information: section name: Fh?jG[OJ
Source: q3oUuJIXkc.exe Static PE information: section name: qNR5:WbS
Source: q3oUuJIXkc.exe Static PE information: section name: z?fd8ijJ
Source: q3oUuJIXkc.exe Static PE information: section name: CV?7x>JO
Source: q3oUuJIXkc.exe Static PE information: section name: EVjKc_MI
Source: q3oUuJIXkc.exe Static PE information: section name: dT<:EHzj
Source: q3oUuJIXkc.exe Static PE information: section name: @]topACL
Source: gntuud.exe.0.dr Static PE information: section name: lB@dO\ih
Source: gntuud.exe.0.dr Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.0.dr Static PE information: section name: qNR5:WbS
Source: gntuud.exe.0.dr Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.0.dr Static PE information: section name: CV?7x>JO
Source: gntuud.exe.0.dr Static PE information: section name: EVjKc_MI
Source: gntuud.exe.0.dr Static PE information: section name: dT<:EHzj
Source: gntuud.exe.0.dr Static PE information: section name: @]topACL
Source: cred64[1].dll.1.dr Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.1.dr Static PE information: section name: zDthL)*@
Source: cred64[1].dll.1.dr Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.1.dr Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.1.dr Static PE information: section name: Z-),j99t
Source: cred64[1].dll.1.dr Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.1.dr Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.1.dr Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.1.dr Static PE information: section name: Uh%r6i!H
Source: cred64.dll.1.dr Static PE information: section name: f5g\gWe7
Source: cred64.dll.1.dr Static PE information: section name: zDthL)*@
Source: cred64.dll.1.dr Static PE information: section name: nb"h!m#Y
Source: cred64.dll.1.dr Static PE information: section name: $^+<%+dU
Source: cred64.dll.1.dr Static PE information: section name: Z-),j99t
Source: cred64.dll.1.dr Static PE information: section name: 8"ikKHD[
Source: cred64.dll.1.dr Static PE information: section name: k&l<0?<6
Source: cred64.dll.1.dr Static PE information: section name: n[uZh3ex
Source: cred64.dll.1.dr Static PE information: section name: Uh%r6i!H
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: EVjKc_MI

Persistence and Installation Behavior
barindex
Yara detected Amadey bot
Source: Yara match File source: 00000001.00000003.350752206.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gntuud.exe PID: 5280, type: MEMORYSTR
Drops PE files
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe File created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Memory written: PID: 1780 base: 1150005 value: E9 FB 99 C1 76 Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Memory written: PID: 1780 base: 77D69A00 value: E9 0A 66 3E 89 Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Memory written: PID: 1780 base: 1170007 value: E9 7B 4C C3 76 Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Memory written: PID: 1780 base: 77DA4C80 value: E9 8E B3 3C 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5280 base: CB0005 value: E9 FB 99 0B 77 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5280 base: 77D69A00 value: E9 0A 66 F4 88 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5280 base: CC0007 value: E9 7B 4C 0E 77 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 5280 base: 77DA4C80 value: E9 8E B3 F1 88 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 2468 base: 1230005 value: E9 FB 99 B3 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 2468 base: 77D69A00 value: E9 0A 66 4C 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 2468 base: 1240007 value: E9 7B 4C B6 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Memory written: PID: 2468 base: 77DA4C80 value: E9 8E B3 49 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 9A0005 value: E9 FB 99 3C 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 77D69A00 value: E9 0A 66 C3 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 9B0007 value: E9 7B 4C 3F 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 77DA4C80 value: E9 8E B3 C0 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 9C0005 value: E9 FB BF 37 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 77D3C000 value: E9 0A 40 C8 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 9E0008 value: E9 AB E0 39 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 77D7E0B0 value: E9 60 1F C6 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: D00005 value: E9 CB 5A 8D 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 775D5AD0 value: E9 3A A5 72 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: D10005 value: E9 5B B0 8E 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 775FB060 value: E9 AA 4F 71 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: D20005 value: E9 DB F8 E0 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 74B2F8E0 value: E9 2A 07 1F 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 4EB0005 value: E9 FB 42 CA 6F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 74B54300 value: E9 0A BD 35 90 Jump to behavior
Overwrites code with function prologues
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 77D3C000 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 775D5AD0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 775FB060 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 74B2F8E0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4828 base: 74B54300 value: 8B FF 55 8B EC Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Special instruction interceptor: First address: 00000000006B25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Special instruction interceptor: First address: 00000000018C25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe RDTSC instruction interceptor: First address: 00000000006B25FE second address: 00000000006D33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F02DCAB0BC1h 0x00000008 call 00007F02DCA4F441h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F02DCC022DAh 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe RDTSC instruction interceptor: First address: 00000000018C25FE second address: 00000000018E33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F02DCDA5551h 0x00000008 call 00007F02DCD43DD1h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F02DCEF6C6Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000004CED526 second address: 0000000004CED559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5372 Thread sleep time: -870000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3176 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3312 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4992 Thread sleep time: -1440000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3312 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5372 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe System information queried: ModuleInformation Jump to behavior
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.168.2.4 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 85.209.135.109 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 12.2.gntuud.exe.1280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.q3oUuJIXkc.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.315315946.0000000000071000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.379083563.0000000001281000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Yara detected Amadey bot
Source: Yara match File source: 00000001.00000003.350752206.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gntuud.exe PID: 5280, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior