Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:764042
MD5:95c94ebd6b69847c3fa598163f499c78
SHA1:b3f2b849bb2f9ddbd3551e60973c3fe8f228516e
SHA256:51d878f00166f0fa41b1d26d3f1f386aae3697fd35bf1a798aecb442eca437c5
Tags:exe
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Amadeys stealer DLL
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Uses cacls to modify the permissions of files
Contains functionality to launch a program with higher privileges
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • file.exe (PID: 160 cmdline: C:\Users\user\Desktop\file.exe MD5: 95C94EBD6B69847C3FA598163F499C78)
    • gntuud.exe (PID: 5144 cmdline: "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" MD5: 95C94EBD6B69847C3FA598163F499C78)
      • schtasks.exe (PID: 1516 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2764 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5916 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • cacls.exe (PID: 4572 cmdline: CACLS "gntuud.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
        • cacls.exe (PID: 5944 cmdline: CACLS "gntuud.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
        • cmd.exe (PID: 3712 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • cacls.exe (PID: 260 cmdline: CACLS "..\9c69749b54" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
        • cacls.exe (PID: 5632 cmdline: CACLS "..\9c69749b54" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
      • rundll32.exe (PID: 4240 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • gntuud.exe (PID: 2832 cmdline: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe MD5: 95C94EBD6B69847C3FA598163F499C78)
  • cleanup
{"C2 url": "31.41.244.237/jg94cVd30f/index.php", "Version": "3.50"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dllINDICATOR_TOOL_PWS_AmadyDetects password stealer DLL. Dropped by AmadeyditekSHen
    • 0xd86c:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
    • 0x15608:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
    • 0x16078:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
    • 0x1515c:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
    • 0x151c0:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
    • 0xdd10:$s3: \Mikrotik\Winbox\Addresses.cdb
    • 0x190dc:$s4: \HostName
    • 0x19104:$s5: \Password
    • 0x17c08:$s6: SOFTWARE\RealVNC\
    • 0x17c34:$s6: SOFTWARE\RealVNC\
    • 0x17c60:$s6: SOFTWARE\RealVNC\
    • 0x17ca8:$s6: SOFTWARE\RealVNC\
    • 0x17cd4:$s6: SOFTWARE\RealVNC\
    • 0x1800c:$s7: SOFTWARE\TightVNC\
    • 0x18038:$s7: SOFTWARE\TightVNC\
    • 0x18064:$s7: SOFTWARE\TightVNC\
    • 0x180b0:$s7: SOFTWARE\TightVNC\
    • 0x1c43c:$s8: cred.dll
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllINDICATOR_TOOL_PWS_AmadyDetects password stealer DLL. Dropped by AmadeyditekSHen
      • 0xd86c:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
      • 0x15608:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
      • 0x16078:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
      • 0x1515c:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
      • 0x151c0:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
      • 0xdd10:$s3: \Mikrotik\Winbox\Addresses.cdb
      • 0x190dc:$s4: \HostName
      • 0x19104:$s5: \Password
      • 0x17c08:$s6: SOFTWARE\RealVNC\
      • 0x17c34:$s6: SOFTWARE\RealVNC\
      • 0x17c60:$s6: SOFTWARE\RealVNC\
      • 0x17ca8:$s6: SOFTWARE\RealVNC\
      • 0x17cd4:$s6: SOFTWARE\RealVNC\
      • 0x1800c:$s7: SOFTWARE\TightVNC\
      • 0x18038:$s7: SOFTWARE\TightVNC\
      • 0x18064:$s7: SOFTWARE\TightVNC\
      • 0x180b0:$s7: SOFTWARE\TightVNC\
      • 0x1c43c:$s8: cred.dll
      SourceRuleDescriptionAuthorStrings
      00000007.00000002.379221894.0000000000400000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000007.00000002.379447537.00000000006C5000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x1358:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000001.00000003.364509891.000000000072F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AmadeyYara detected Amadey botJoe Security
          00000001.00000003.388349962.000000000072F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AmadeyYara detected Amadey botJoe Security
            00000000.00000003.307521175.0000000000920000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              Click to see the 10 entries
              SourceRuleDescriptionAuthorStrings
              7.3.gntuud.exe.b00000.0.raw.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                7.3.gntuud.exe.b00000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  7.2.gntuud.exe.400000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                    0.2.file.exe.5e0e67.1.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                      0.2.file.exe.400000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                        Click to see the 9 entries
                        No Sigma rule has matched
                        No Snort rule has matched

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: http://31.41.244.237/jg94cVd30f/index.phpWAvira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.phpWindowsAvira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.php9749b54Avira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.php1df1Avira URL Cloud: Label: malware
                        Source: 31.41.244.237/jg94cVd30f/index.phpAvira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.phpce401df1Avira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.phpl4Avira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.phpqAvira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.phpcAvira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.phpAvira URL Cloud: Label: malware
                        Source: http://31.41.244.237/jg94cVd30f/index.php?scr=1Avira URL Cloud: Label: malware
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllAvira: detection malicious, Label: HEUR/AGEN.1233121
                        Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dllAvira: detection malicious, Label: HEUR/AGEN.1233121
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllReversingLabs: Detection: 88%
                        Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dllReversingLabs: Detection: 88%
                        Source: file.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeJoe Sandbox ML: detected
                        Source: 0.3.file.exe.920000.0.unpackMalware Configuration Extractor: Amadey {"C2 url": "31.41.244.237/jg94cVd30f/index.php", "Version": "3.50"}

                        Compliance

                        barindex
                        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeUnpacked PE file: 7.2.gntuud.exe.400000.0.unpack
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                        Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: file.exe, file.exe, 00000000.00000003.307521175.0000000000920000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.310262751.0000000000400000.00000040.00000001.01000000.00000003.sdmp, gntuud.exe, gntuud.exe, 00000007.00000002.379221894.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000007.00000003.378914980.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000007.00000002.379592093.0000000000900000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: C:\wivex-ribinese.pdb source: file.exe, gntuud.exe.0.dr
                        Source: Binary string: SC:\wivex-ribinese.pdb source: file.exe, gntuud.exe.0.dr
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00420C88 FindFirstFileExW,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00420C88 FindFirstFileExW,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00920EEF FindFirstFileExW,

                        Networking

                        barindex
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.244.237 80
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.5 80
                        Source: Malware configuration extractorURLs: 31.41.244.237/jg94cVd30f/index.php
                        Source: Joe Sandbox ViewASN Name: AEROEXPRESS-ASRU AEROEXPRESS-ASRU
                        Source: Joe Sandbox ViewIP Address: 31.41.244.237 31.41.244.237
                        Source: gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.388236501.000000000071A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.php
                        Source: gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.php1df1
                        Source: gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.344978359.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.php9749b54
                        Source: gntuud.exe, 00000001.00000003.388236501.000000000071A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.php?scr=1
                        Source: gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.phpW
                        Source: gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.phpWindows
                        Source: gntuud.exe, 00000001.00000003.344978359.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.phpc
                        Source: gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.phpce401df1
                        Source: gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.344978359.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.phpl4
                        Source: gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.244.237/jg94cVd30f/index.phpq
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004041F0 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402C70 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,
                        Source: file.exe, 00000000.00000002.310477419.000000000062A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        System Summary

                        barindex
                        Source: 00000007.00000002.379447537.00000000006C5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000000.00000002.310374137.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000000.00000002.310495000.0000000000633000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000007.00000002.379592093.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, type: DROPPEDMatched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPEDMatched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 00000007.00000002.379447537.00000000006C5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000000.00000002.310374137.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000000.00000002.310495000.0000000000633000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000007.00000002.379592093.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, type: DROPPEDMatched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPEDMatched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00429560
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042857D
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00406F30
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00429560
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0042857D
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_009297C7
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_009287E4
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: String function: 00418D20 appears 35 times
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: String function: 009172A7 appears 130 times
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: String function: 00918F87 appears 35 times
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: String function: 00417040 appears 130 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00418D20 appears 35 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00417040 appears 130 times
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess Stats: CPU usage > 98%
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll C7D804E8FB096769B0E199102BDF8EFA97DFAE1A9B57A479819971146877368B
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:N"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:R" /E
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:N"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:R" /E
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeFile created: C:\Users\user\AppData\Roaming\85f469ce401df1Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\9c69749b54Jump to behavior
                        Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@24/9@0/3
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006341D6 CreateToolhelp32Snapshot,Module32First,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3772:120:WilError_01
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeMutant created: \Sessions\1\BaseNamedObjects\85f469ce401df19fc5a7f9408bc52f06
                        Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\58912ebbcc55d5bba3ec180a591c7cdf
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_01
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: file.exe, file.exe, 00000000.00000003.307521175.0000000000920000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.310262751.0000000000400000.00000040.00000001.01000000.00000003.sdmp, gntuud.exe, gntuud.exe, 00000007.00000002.379221894.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000007.00000003.378914980.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000007.00000002.379592093.0000000000900000.00000040.00001000.00020000.00000000.sdmp
                        Source: Binary string: C:\wivex-ribinese.pdb source: file.exe, gntuud.exe.0.dr
                        Source: Binary string: SC:\wivex-ribinese.pdb source: file.exe, gntuud.exe.0.dr

                        Data Obfuscation

                        barindex
                        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeUnpacked PE file: 7.2.gntuud.exe.400000.0.unpack
                        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.kibu:R;.yaza:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeUnpacked PE file: 7.2.gntuud.exe.400000.0.unpack .text:ER;.data:W;.kibu:R;.yaza:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006379D8 push ss; retf
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639318 pushad ; iretd
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634CF2 pushfd ; ret
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006366F0 push edi; ret
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00636763 push ecx; iretd
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0090B9C2 pushad ; iretd
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0090BA85 push cs; retf 0000h
                        Source: file.exeStatic PE information: section name: .kibu
                        Source: file.exeStatic PE information: section name: .yaza
                        Source: gntuud.exe.0.drStatic PE information: section name: .kibu
                        Source: gntuud.exe.0.drStatic PE information: section name: .yaza

                        Persistence and Installation Behavior

                        barindex
                        Source: Yara matchFile source: 00000001.00000003.364509891.000000000072F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000003.388349962.000000000072F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000003.345025850.0000000000731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: gntuud.exe PID: 5144, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeFile created: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllJump to dropped file

                        Boot Survival

                        barindex
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 5140Thread sleep time: -60000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 1252Thread sleep time: -50000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 1364Thread sleep time: -1980000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 1248Thread sleep time: -1440000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 5140Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeThread delayed: delay time: 180000
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeThread delayed: delay time: 360000
                        Source: C:\Users\user\Desktop\file.exeAPI coverage: 5.9 %
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeAPI coverage: 3.8 %
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405470 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00420C88 FindFirstFileExW,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00420C88 FindFirstFileExW,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00920EEF FindFirstFileExW,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeThread delayed: delay time: 30000
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeThread delayed: delay time: 50000
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeThread delayed: delay time: 180000
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeThread delayed: delay time: 360000
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeThread delayed: delay time: 30000
                        Source: gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.344978359.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: file.exe, 00000000.00000002.310607640.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: file.exe, 00000000.00000002.310607640.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SA5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418B47 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004037D0 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B9E1 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DFE2 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00633AB3 push dword ptr fs:[00000030h]
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0041B9E1 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0041DFE2 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0090092B mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0091E249 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0091BC48 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00900D90 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418243 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418B47 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CB60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00418243 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00418B47 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0041CB60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_009184AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_00918DAE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeCode function: 7_2_0091CDC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.244.237 80
                        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.5 80
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403FB0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004043C0 ShellExecuteA,
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:N"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:R" /E
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418967 cpuid
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418D81 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00424CA6 _free,_free,_free,GetTimeZoneInformation,_free,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405470 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B8C0 GetUserNameA,SetCurrentDirectoryA,

                        Stealing of Sensitive Information

                        barindex
                        Source: Yara matchFile source: 7.3.gntuud.exe.b00000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.3.gntuud.exe.b00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.gntuud.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.5e0e67.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.3.gntuud.exe.620000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.gntuud.exe.900e67.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.file.exe.920000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.file.exe.920000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.gntuud.exe.900e67.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.3.gntuud.exe.620000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.gntuud.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.379221894.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.307521175.0000000000920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000003.378914980.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.310374137.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.379592093.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.310262751.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000003.323578847.0000000000620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED
                        Source: Yara matchFile source: 00000001.00000003.364509891.000000000072F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000003.388349962.000000000072F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000003.345025850.0000000000731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: gntuud.exe PID: 5144, type: MEMORYSTR
                        Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                        Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
                        Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
                        Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid Accounts1
                        Scheduled Task/Job
                        1
                        Scheduled Task/Job
                        1
                        Exploitation for Privilege Escalation
                        1
                        Deobfuscate/Decode Files or Information
                        1
                        OS Credential Dumping
                        2
                        System Time Discovery
                        Remote Services1
                        Archive Collected Data
                        Exfiltration Over Other Network Medium1
                        Ingress Tool Transfer
                        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/Job1
                        Registry Run Keys / Startup Folder
                        211
                        Process Injection
                        2
                        Obfuscated Files or Information
                        1
                        Input Capture
                        1
                        Account Discovery
                        Remote Desktop Protocol1
                        Data from Local System
                        Exfiltration Over Bluetooth1
                        Encrypted Channel
                        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)1
                        Services File Permissions Weakness
                        1
                        Scheduled Task/Job
                        2
                        Software Packing
                        2
                        Credentials in Registry
                        2
                        File and Directory Discovery
                        SMB/Windows Admin Shares1
                        Screen Capture
                        Automated Exfiltration1
                        Application Layer Protocol
                        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)1
                        Registry Run Keys / Startup Folder
                        1
                        Masquerading
                        1
                        Credentials In Files
                        24
                        System Information Discovery
                        Distributed Component Object Model1
                        Email Collection
                        Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon Script1
                        Services File Permissions Weakness
                        21
                        Virtualization/Sandbox Evasion
                        LSA Secrets121
                        Security Software Discovery
                        SSH1
                        Input Capture
                        Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.common211
                        Process Injection
                        Cached Domain Credentials21
                        Virtualization/Sandbox Evasion
                        VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                        Services File Permissions Weakness
                        DCSync1
                        Process Discovery
                        Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                        Rundll32
                        Proc Filesystem1
                        System Owner/User Discovery
                        Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 764042 Sample: file.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 5 other signatures 2->65 8 file.exe 4 2->8         started        12 gntuud.exe 2->12         started        process3 file4 37 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 8->37 dropped 39 C:\Users\user\...\gntuud.exe:Zone.Identifier, ASCII 8->39 dropped 75 Detected unpacking (changes PE section rights) 8->75 77 Detected unpacking (overwrites its own PE header) 8->77 79 Contains functionality to inject code into remote processes 8->79 14 gntuud.exe 18 8->14         started        signatures5 process6 dnsIp7 47 31.41.244.237 AEROEXPRESS-ASRU Russian Federation 14->47 49 192.168.2.1 unknown unknown 14->49 41 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 14->43 dropped 51 Detected unpacking (changes PE section rights) 14->51 53 Detected unpacking (overwrites its own PE header) 14->53 55 Creates an undocumented autostart registry key 14->55 57 2 other signatures 14->57 19 rundll32.exe 14->19         started        23 cmd.exe 1 14->23         started        25 schtasks.exe 1 14->25         started        file8 signatures9 process10 dnsIp11 45 192.168.2.5 unknown unknown 19->45 67 System process connects to network (likely due to code injection or exploit) 19->67 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->69 71 Tries to steal Instant Messenger accounts or passwords 19->71 73 2 other signatures 19->73 27 conhost.exe 23->27         started        29 cmd.exe 1 23->29         started        31 cmd.exe 1 23->31         started        35 4 other processes 23->35 33 conhost.exe 25->33         started        signatures12 process13

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand
                        SourceDetectionScannerLabelLink
                        file.exe100%Joe Sandbox ML
                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll100%AviraHEUR/AGEN.1233121
                        C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll100%AviraHEUR/AGEN.1233121
                        C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll88%ReversingLabsWin32.Infostealer.Decred
                        C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll88%ReversingLabsWin32.Infostealer.Decred
                        No Antivirus matches
                        No Antivirus matches
                        SourceDetectionScannerLabelLink
                        http://31.41.244.237/jg94cVd30f/index.phpW100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.phpWindows100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.php9749b54100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.php1df1100%Avira URL Cloudmalware
                        31.41.244.237/jg94cVd30f/index.php100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.phpce401df1100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.phpl4100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.phpq100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.phpc100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.php100%Avira URL Cloudmalware
                        http://31.41.244.237/jg94cVd30f/index.php?scr=1100%Avira URL Cloudmalware
                        No contacted domains info
                        NameMaliciousAntivirus DetectionReputation
                        31.41.244.237/jg94cVd30f/index.phptrue
                        • Avira URL Cloud: malware
                        low
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://31.41.244.237/jg94cVd30f/index.phpWindowsgntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.phpce401df1gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.php9749b54gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.344978359.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.phpWgntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.php1df1gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.phpcgntuud.exe, 00000001.00000003.344978359.0000000000729000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.phpqgntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.phpl4gntuud.exe, 00000001.00000003.388326932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.344978359.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.phpgntuud.exe, 00000001.00000003.364486661.0000000000729000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.388236501.000000000071A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://31.41.244.237/jg94cVd30f/index.php?scr=1gntuud.exe, 00000001.00000003.388236501.000000000071A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        31.41.244.237
                        unknownRussian Federation
                        61974AEROEXPRESS-ASRUtrue
                        IP
                        192.168.2.1
                        192.168.2.5
                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:764042
                        Start date and time:2022-12-09 10:57:06 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 12m 5s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:file.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:17
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.phis.troj.spyw.evad.winEXE@24/9@0/3
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 0.2% (good quality ratio 0.2%)
                        • Quality average: 67.3%
                        • Quality standard deviation: 15.3%
                        HCA Information:
                        • Successful, ratio: 83%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240s for sample files taking high CPU consumption
                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        TimeTypeDescription
                        10:58:16Task SchedulerRun new task: gntuud.exe path: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
                        10:58:16API Interceptor2464x Sleep call for process: gntuud.exe modified
                        No context
                        No context
                        No context
                        No context
                        No context
                        Process:C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):129024
                        Entropy (8bit):6.511981065302762
                        Encrypted:false
                        SSDEEP:3072:Yx7pOYzBek53tiINwyP7XSSJds3zhrjPcnqULv4i9:Yx7ZNh53vwyOztPc3L
                        MD5:C0FD0167E213B6148333351BD16ED1FB
                        SHA1:1CFB2B42686557656DEAD53E02D1DB3F2A848026
                        SHA-256:C7D804E8FB096769B0E199102BDF8EFA97DFAE1A9B57A479819971146877368B
                        SHA-512:D514F35E62A5380B4AD96A3E0CDDF82B53B1CF273E5AC542F040F30A75EFD3C246FA2194E4BB273572CD2436A435A608E2B919F6DF9FA4EBBF452B0D297B0CF9
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, Author: Joe Security
                        • Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, Author: ditekSHen
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 88%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......|.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................
                        Process:C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                        Category:dropped
                        Size (bytes):84616
                        Entropy (8bit):7.8985195360187825
                        Encrypted:false
                        SSDEEP:1536:C+7TcPwEAr1uN4roDPa/UPwJyv9w2rMrjiag8vc4t0EtAfDRMQ8tsC:T1uEojaMZrcbvc4t0ECFRC
                        MD5:7AC0577A07DB145B45C2FF5550A678C3
                        SHA1:5FFD1CEF1C87E884645CB59A25AB05A8B042D860
                        SHA-256:082E6112C31331307793AE8D779CE62C1AD589A041497F6DD91BC51C43EDD3C8
                        SHA-512:958D5628BA696F1EB05F77D3E09475FFB0C9E7C0C9BF5DC21D9999F7CB8BA7AAAF338A741F026EBD1A406D82B05D7AD571795B612B69AE0AD64DF9F4C7C21C4D
                        Malicious:false
                        Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(....Q..R...`2.`....j.$.....+..];$....F...K.1...3.)k...@<1..@.../...G. .....g.G.....~.W.W.......
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):431104
                        Entropy (8bit):6.163894209315941
                        Encrypted:false
                        SSDEEP:6144:4XpGLNufxsoxVK3o5aw03th0c2EM9X4bhh6K9W9TnWded89kTR:4MJufqkK45Idu7EM9XCIK9W9Daw
                        MD5:95C94EBD6B69847C3FA598163F499C78
                        SHA1:B3F2B849BB2F9DDBD3551E60973C3FE8F228516E
                        SHA-256:51D878F00166F0FA41B1D26D3F1F386AAE3697FD35BF1A798AECB442ECA437C5
                        SHA-512:68814791E8E0091A3D0465144AADBB6B69728B6C293E8237760A13055ED46F9F5FB6978DE713A671B84240B66FC0D18ABE7C0D78228AC5F735CA997775C05C5A
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L...GHia.................n...R.......p............@.........................................................................s..<.... ..............................................................0I..@............................................text...Vm.......n.................. ..`.data...D|.......N...r..............@....kibu...............................@..@.yaza...p...........................@..@.rsrc........ ......................@..@.reloc..l............v..............@..B................................................................................................................................................................................................................................................................................................
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0
                        Process:C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):129024
                        Entropy (8bit):6.511981065302762
                        Encrypted:false
                        SSDEEP:3072:Yx7pOYzBek53tiINwyP7XSSJds3zhrjPcnqULv4i9:Yx7ZNh53vwyOztPc3L
                        MD5:C0FD0167E213B6148333351BD16ED1FB
                        SHA1:1CFB2B42686557656DEAD53E02D1DB3F2A848026
                        SHA-256:C7D804E8FB096769B0E199102BDF8EFA97DFAE1A9B57A479819971146877368B
                        SHA-512:D514F35E62A5380B4AD96A3E0CDDF82B53B1CF273E5AC542F040F30A75EFD3C246FA2194E4BB273572CD2436A435A608E2B919F6DF9FA4EBBF452B0D297B0CF9
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Author: Joe Security
                        • Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Author: ditekSHen
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 88%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......|.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\cacls.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):15
                        Entropy (8bit):3.240223928941852
                        Encrypted:false
                        SSDEEP:3:o3F:o1
                        MD5:509B054634B6DE74F111C3E646BC80FD
                        SHA1:99B4C0F39144A92FE42E22473A2A2552FB16BD13
                        SHA-256:07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36
                        SHA-512:A9C2D23947DBE09D5ECFBF6B3109F3CF8409E43176AE10C18083446EDE006E60E41C3EA2D2765036A967FC81B085D5F271686606AED4154AE45287D412CF6D40
                        Malicious:false
                        Preview:processed dir:
                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.163894209315941
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:431104
                        MD5:95c94ebd6b69847c3fa598163f499c78
                        SHA1:b3f2b849bb2f9ddbd3551e60973c3fe8f228516e
                        SHA256:51d878f00166f0fa41b1d26d3f1f386aae3697fd35bf1a798aecb442eca437c5
                        SHA512:68814791e8e0091a3d0465144aadbb6b69728b6c293e8237760a13055ed46f9f5fb6978de713a671b84240b66fc0d18abe7c0d78228ac5f735ca997775c05c5a
                        SSDEEP:6144:4XpGLNufxsoxVK3o5aw03th0c2EM9X4bhh6K9W9TnWded89kTR:4MJufqkK45Idu7EM9XCIK9W9Daw
                        TLSH:EE94D0013181C4F1C7620D775825CBE1E93BB46BFB656927F3D82BAF6E701D1BA62212
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L...GHia.................n.
                        Icon Hash:8286cccea68c9c84
                        Entrypoint:0x407096
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x61694847 [Fri Oct 15 09:22:15 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:eeffe9860bc9c6507e24465b9b5239be
                        Instruction
                        call 00007FA581300BACh
                        jmp 00007FA5812FAF0Eh
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        sub esp, 28h
                        xor eax, eax
                        push ebx
                        mov ebx, dword ptr [ebp+0Ch]
                        push esi
                        mov esi, dword ptr [ebp+10h]
                        push edi
                        mov edi, dword ptr [ebp+08h]
                        mov byte ptr [ebp-08h], al
                        mov byte ptr [ebp-07h], al
                        mov byte ptr [ebp-06h], al
                        mov byte ptr [ebp-05h], al
                        mov byte ptr [ebp-04h], al
                        mov byte ptr [ebp-03h], al
                        mov byte ptr [ebp-02h], al
                        mov byte ptr [ebp-01h], al
                        cmp dword ptr [0044CC84h], eax
                        je 00007FA5812FB0A0h
                        push dword ptr [0044FC28h]
                        call 00007FA5812FFAD8h
                        pop ecx
                        jmp 00007FA5812FB097h
                        mov eax, 0040CC48h
                        mov ecx, dword ptr [ebp+14h]
                        mov edx, 000000A6h
                        cmp ecx, edx
                        jg 00007FA5812FB20Ah
                        je 00007FA5812FB1F1h
                        cmp ecx, 19h
                        jg 00007FA5812FB18Eh
                        je 00007FA5812FB17Fh
                        mov edx, ecx
                        push 00000002h
                        pop ecx
                        sub edx, ecx
                        je 00007FA5812FB163h
                        dec edx
                        je 00007FA5812FB153h
                        sub edx, 05h
                        je 00007FA5812FB13Bh
                        dec edx
                        je 00007FA5812FB11Ch
                        sub edx, 05h
                        je 00007FA5812FB103h
                        dec edx
                        je 00007FA5812FB0D7h
                        sub edx, 09h
                        jne 00007FA5812FB26Ah
                        mov dword ptr [ebp-28h], 00000003h
                        mov dword ptr [ebp-24h], 00401348h
                        fld qword ptr [edi]
                        lea ecx, dword ptr [ebp-28h]
                        fstp qword ptr [ebp-20h]
                        push ecx
                        fld qword ptr [ebx]
                        fstp qword ptr [ebp+00h]
                        Programming Language:
                        • [C++] VS2008 build 21022
                        • [ASM] VS2008 build 21022
                        • [ C ] VS2008 build 21022
                        • [IMP] VS2005 build 50727
                        • [RES] VS2008 build 21022
                        • [LNK] VS2008 build 21022
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x173c40x3c.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x1a510.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6d0000xda4.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x11f00x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x49300x40.text
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x19c.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x16d560x16e00False0.5950734289617486data6.699063269629476IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .data0x180000x37c440x34e00False0.5780003324468085data5.571732324854472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .kibu0x500000xbb80xc00False0.008138020833333334data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .yaza0x510000x2700x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .rsrc0x520000x1a5100x1a600False0.6378665580568721data6.239262462280845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x6d0000x1c6c0x1e00False0.38958333333333334data3.882445369472534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountry
                        AFX_DIALOG_LAYOUT0x6a4500x2dataSlovakSlovakia
                        AFX_DIALOG_LAYOUT0x6a4380x2dataSlovakSlovakia
                        AFX_DIALOG_LAYOUT0x6a4400xcdataSlovakSlovakia
                        SUXUMOWUDAKOLA0x682d00x2107ASCII text, with very long lines (8455), with no line terminatorsSlovakSlovakia
                        RT_CURSOR0x6a4580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SlovakSlovakia
                        RT_CURSOR0x6b3000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SlovakSlovakia
                        RT_CURSOR0x6bbd00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0SlovakSlovakia
                        RT_CURSOR0x6bd000xb0Device independent bitmap graphic, 16 x 32 x 1, image size 0SlovakSlovakia
                        RT_ICON0x529900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SlovakSlovakia
                        RT_ICON0x530580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SlovakSlovakia
                        RT_ICON0x556000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SlovakSlovakia
                        RT_ICON0x55a980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SlovakSlovakia
                        RT_ICON0x569400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SlovakSlovakia
                        RT_ICON0x571e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SlovakSlovakia
                        RT_ICON0x577500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SlovakSlovakia
                        RT_ICON0x59cf80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SlovakSlovakia
                        RT_ICON0x5ada00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SlovakSlovakia
                        RT_ICON0x5b7280x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SlovakSlovakia
                        RT_ICON0x5bbf80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SlovakSlovakia
                        RT_ICON0x5caa00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SlovakSlovakia
                        RT_ICON0x5d3480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SlovakSlovakia
                        RT_ICON0x5da100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SlovakSlovakia
                        RT_ICON0x5df780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SlovakSlovakia
                        RT_ICON0x605200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SlovakSlovakia
                        RT_ICON0x615c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SlovakSlovakia
                        RT_ICON0x61a980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSlovakSlovakia
                        RT_ICON0x629400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSlovakSlovakia
                        RT_ICON0x631e80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSlovakSlovakia
                        RT_ICON0x638b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSlovakSlovakia
                        RT_ICON0x63e180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216SlovakSlovakia
                        RT_ICON0x663c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096SlovakSlovakia
                        RT_ICON0x674680x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304SlovakSlovakia
                        RT_ICON0x67df00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024SlovakSlovakia
                        RT_STRING0x6bfc80x542dataSlovakSlovakia
                        RT_ACCELERATOR0x6a3d80x40dataSlovakSlovakia
                        RT_GROUP_CURSOR0x6bba80x22dataSlovakSlovakia
                        RT_GROUP_CURSOR0x6bdb00x22dataSlovakSlovakia
                        RT_GROUP_ICON0x61a300x68dataSlovakSlovakia
                        RT_GROUP_ICON0x55a680x30dataSlovakSlovakia
                        RT_GROUP_ICON0x5bb900x68dataSlovakSlovakia
                        RT_GROUP_ICON0x682580x76dataSlovakSlovakia
                        RT_VERSION0x6bdd80x1f0MS Windows COFF PowerPC object fileSlovakSlovakia
                        None0x6a4180xadataSlovakSlovakia
                        None0x6a4280xadataSlovakSlovakia
                        DLLImport
                        KERNEL32.dllFillConsoleOutputCharacterA, GetCPInfo, GetProfileIntW, GetSystemDefaultLCID, GetModuleHandleW, WaitNamedPipeW, TlsSetValue, GetPriorityClass, GetVolumeInformationA, LoadLibraryW, IsProcessInJob, AssignProcessToJobObject, GetCalendarInfoW, GetFileAttributesA, TransactNamedPipe, WriteConsoleW, GetVolumePathNameA, CreateJobObjectA, GetVolumeNameForVolumeMountPointA, FillConsoleOutputCharacterW, GetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, SetFileAttributesA, LoadLibraryA, WriteConsoleA, GetProcessWorkingSetSize, LocalAlloc, OpenJobObjectW, FoldStringW, FoldStringA, FindFirstChangeNotificationA, GetFileInformationByHandle, FindActCtxSectionStringW, LCMapStringW, GetConsoleAliasesW, GetFullPathNameW, HeapFree, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, SetHandleCount, GetFileType, GetStartupInfoA, SetFilePointer, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, GetConsoleOutputCP, MultiByteToWideChar, SetStdHandle, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, GetModuleHandleA, HeapSize, GetLocaleInfoA, LCMapStringA, GetStringTypeA, GetStringTypeW, SetEndOfFile, GetProcessHeap, ReadFile
                        ADVAPI32.dllBackupEventLogW
                        Language of compilation systemCountry where language is spokenMap
                        SlovakSlovakia
                        No network behavior found

                        Click to jump to process

                        Target ID:0
                        Start time:10:57:59
                        Start date:09/12/2022
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\file.exe
                        Imagebase:0x400000
                        File size:431104 bytes
                        MD5 hash:95C94EBD6B69847C3FA598163F499C78
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.307521175.0000000000920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.310374137.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.310374137.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.310495000.0000000000633000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.310262751.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low

                        Target ID:1
                        Start time:10:58:06
                        Start date:09/12/2022
                        Path:C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"
                        Imagebase:0x400000
                        File size:431104 bytes
                        MD5 hash:95C94EBD6B69847C3FA598163F499C78
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000001.00000003.364509891.000000000072F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000001.00000003.388349962.000000000072F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000001.00000003.345025850.0000000000731000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.323578847.0000000000620000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        Reputation:low

                        Target ID:2
                        Start time:10:58:14
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
                        Imagebase:0x11e0000
                        File size:185856 bytes
                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:3
                        Start time:10:58:15
                        Start date:09/12/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7fcd70000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:4
                        Start time:10:58:15
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:5
                        Start time:10:58:15
                        Start date:09/12/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7fcd70000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:6
                        Start time:10:58:16
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:7
                        Start time:10:58:16
                        Start date:09/12/2022
                        Path:C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
                        Imagebase:0x400000
                        File size:431104 bytes
                        MD5 hash:95C94EBD6B69847C3FA598163F499C78
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.379221894.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.379447537.00000000006C5000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000003.378914980.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.379592093.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.379592093.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        Reputation:low

                        Target ID:8
                        Start time:10:58:17
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\cacls.exe
                        Wow64 process (32bit):true
                        Commandline:CACLS "gntuud.exe" /P "user:N"
                        Imagebase:0xf70000
                        File size:27648 bytes
                        MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Target ID:9
                        Start time:10:58:17
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\cacls.exe
                        Wow64 process (32bit):true
                        Commandline:CACLS "gntuud.exe" /P "user:R" /E
                        Imagebase:0xf70000
                        File size:27648 bytes
                        MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Target ID:10
                        Start time:10:58:17
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Target ID:11
                        Start time:10:58:18
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\cacls.exe
                        Wow64 process (32bit):true
                        Commandline:CACLS "..\9c69749b54" /P "user:N"
                        Imagebase:0xf70000
                        File size:27648 bytes
                        MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Target ID:12
                        Start time:10:58:18
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\cacls.exe
                        Wow64 process (32bit):true
                        Commandline:CACLS "..\9c69749b54" /P "user:R" /E
                        Imagebase:0xf70000
                        File size:27648 bytes
                        MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Target ID:13
                        Start time:10:58:19
                        Start date:09/12/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main
                        Imagebase:0x8d0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi

                        No disassembly