Edit tour
Windows
Analysis Report
q3oUuJIXkc.exe
Overview
General Information
| Sample Name: | q3oUuJIXkc.exe |
| Analysis ID: | 764037 |
| MD5: | 2239a58cc93fd94dc2806ce7f6af0a0b |
| SHA1: | f09eb7d69bc7440d3d45e14267236a78ac789fcb |
| SHA256: | 682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811 |
| Tags: | 32exetrojan |
| Infos: |  |
 | |
Detection
Amadey
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Uses cacls to modify the permissions of files
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
q3oUuJIXkc.exe (PID: 1780 cmdline: C:\Users\u ser\Deskto p\q3oUuJIX kc.exe MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B) - gntuud.exe (PID: 5280 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\03bd54 3fce\gntuu d.exe" MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B) 
schtasks.exe (PID: 1128 cmdline: "C:\Window s\System32 \schtasks. exe" /Crea te /SC MIN UTE /MO 1 /TN gntuud .exe /TR " C:\Users\u ser\AppDat a\Local\Te mp\03bd543 fce\gntuud .exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04) 
conhost.exe (PID: 1592 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 2188 cmdline:
"C:\Window s\System32 \cmd.exe" /k echo Y| CACLS "gnt uud.exe" / P "user:N" &&CACLS "g ntuud.exe" /P "user: R" /E&&ech o Y|CACLS "..\03bd54 3fce" /P " user:N"&&C ACLS "..\0 3bd543fce" /P "user: R" /E&&Exi t MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4216 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) - cacls.exe (PID: 1844 cmdline:
CACLS "gnt uud.exe" / P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cacls.exe (PID: 5132 cmdline:
CACLS "gnt uud.exe" / P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cmd.exe (PID: 4768 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) - cacls.exe (PID: 5412 cmdline:
CACLS "..\ 03bd543fce " /P "user :N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) - cacls.exe (PID: 5344 cmdline:
CACLS "..\ 03bd543fce " /P "user :R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) 
rundll32.exe (PID: 4828 cmdline: "C:\Window s\System32 \rundll32. exe" C:\Us ers\user\A ppData\Roa ming\c33e9 ad058e5d3\ cred64.dll , Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
- gntuud.exe (PID: 2468 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\03bd543 fce\gntuud .exe MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
- cleanup
{"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
| JoeSecurity_Amadey | Yara detected Amadey bot | Joe Security | ||
| JoeSecurity_Amadey | Yara detected Amadey bot | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
| JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
Networking | |
|---|