File name: | 396a0145a594e4f81dd61a370cd82d1c |
Full analysis: | https://app.any.run/tasks/7193e14e-3ccb-4842-95b4-89e299be620b |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | July 11, 2019, 13:02:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 396A0145A594E4F81DD61A370CD82D1C |
SHA1: | 09F4C0AEBD4F7366EE75162A98EFA32F0A1616F1 |
SHA256: | 0F7FB5CFDFED45D552C536B852B9FCD1B601EFE46752C16C89D074002A63DCE4 |
SSDEEP: | 24576:pAT8QE+kiOW/mlBKx3NKUsEebap9RhdYM/rn2lEsMv0+49kBre/iD7:pAI+EdBKxsntbap9jiArq3wD+kBZX |
.exe | | | InstallShield setup (49.2) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (16.2) |
.scr | | | Windows screen saver (14.9) |
.dll | | | Win32 Dynamic Link Library (generic) (7.5) |
.exe | | | Win32 Executable (generic) (5.1) |
LegalCopyright: | kos1 |
---|---|
FileVersion: | 1.00 |
FileDescription: | kos1 1.00 Installation |
CompanyName: | kos1 |
Comments: | - |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x25468 |
UninitializedDataSize: | - |
InitializedDataSize: | 31744 |
CodeSize: | 148992 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1992:06:20 00:22:17+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-1992 22:22:17 |
Detected languages: |
|
Comments: | - |
CompanyName: | kos1 |
FileDescription: | kos1 1.00 Installation |
FileVersion: | 1.00 |
LegalCopyright: | kos1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 19-Jun-1992 22:22:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x000244CC | 0x00024600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.59443 |
DATA | 0x00026000 | 0x00002894 | 0x00002A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.79376 |
BSS | 0x00029000 | 0x000010F5 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0002B000 | 0x00001798 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.88555 |
.tls | 0x0002D000 | 0x00000008 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0002E000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.204488 |
.reloc | 0x0002F000 | 0x00001884 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.58665 |
.rsrc | 0x00031000 | 0x00001CDC | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 4.74565 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.93923 | 886 | UNKNOWN | Russian - Russia | RT_MANIFEST |
50 | 3.25755 | 296 | UNKNOWN | UNKNOWN | RT_ICON |
51 | 4.01345 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
52 | 3.92897 | 744 | UNKNOWN | UNKNOWN | RT_ICON |
53 | 4.27475 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
DVCLAL | 4 | 16 | UNKNOWN | UNKNOWN | RT_RCDATA |
PACKAGEINFO | 5.28362 | 272 | UNKNOWN | UNKNOWN | RT_RCDATA |
MAINICON | 2.57938 | 62 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
advapi32.dll |
cabinet.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
winmm.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3056 | "C:\Users\admin\AppData\Local\Temp\396a0145a594e4f81dd61a370cd82d1c.exe" | C:\Users\admin\AppData\Local\Temp\396a0145a594e4f81dd61a370cd82d1c.exe | — | explorer.exe |
User: admin Company: kos1 Integrity Level: MEDIUM Description: kos1 1.00 Installation Exit code: 3221226540 Version: 1.00 | ||||
3516 | "C:\Users\admin\AppData\Local\Temp\396a0145a594e4f81dd61a370cd82d1c.exe" | C:\Users\admin\AppData\Local\Temp\396a0145a594e4f81dd61a370cd82d1c.exe | explorer.exe | |
User: admin Company: kos1 Integrity Level: HIGH Description: kos1 1.00 Installation Exit code: 0 Version: 1.00 | ||||
2980 | "C:\Program Files\kos1\kos1\digi1007_kos1_6cr11.exe" | C:\Program Files\kos1\kos1\digi1007_kos1_6cr11.exe | 396a0145a594e4f81dd61a370cd82d1c.exe | |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Telephoneassistant Really 5 Exit code: 0 | ||||
3976 | c:\programdata\d0e2b561fe\kntd.exe | c:\programdata\d0e2b561fe\kntd.exe | — | digi1007_kos1_6cr11.exe |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Telephoneassistant Really 5 |
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | DisplayName |
Value: kos1 1.00 | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | DisplayVersion |
Value: 1.00 | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | VersionMajor |
Value: 1 | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | VersionMinor |
Value: 0 | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | Publisher |
Value: kos1 | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\kos1\kos1\Uninstall.exe | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | UninstallString |
Value: C:\Program Files\kos1\kos1\Uninstall.exe | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | URLInfoAbout |
Value: http://www.company.com/ | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | HelpLink |
Value: mailto:[email protected] | |||
(PID) Process: | (3516) 396a0145a594e4f81dd61a370cd82d1c.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00 |
Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\kos1\kos1\ |
PID | Process | Filename | Type | |
---|---|---|---|---|
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Users\admin\AppData\Local\Temp\$inst\2.tmp | — | |
MD5:— | SHA256:— | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp | — | |
MD5:— | SHA256:— | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Program Files\kos1\kos1\Languages\cs.lng | xml | |
MD5:30F897BBDE9622E5B29B1E9ABEB0147D | SHA256:FA39D085EF8E5614CDBC43DDF07A0DBB48A93DC776037340B7524ABE5DF0AC74 | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Program Files\kos1\kos1\Languages\el-GR.lng | xml | |
MD5:A246F5AFC122B88B6D2319CD7038ADDB | SHA256:794E060D3DC0757C24FA21C696280F342B6F08E280E3442BD3759626D82B9D21 | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Program Files\kos1\kos1\Languages\fi-Fi.lng | xml | |
MD5:BE49D6C6D8F8B8ADBFC33F19604066F2 | SHA256:6FE0454B2B05A36C75E661327333A11A526D21DB80DFE0AF9C052E8AE2AC5BBF | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Program Files\kos1\kos1\Languages\he-IL.lng | xml | |
MD5:C7EF223E9F8EFEB31D6BF7274FE72653 | SHA256:988FCD5A29BA4311E03918F7911E6031E50C393D88EAAA4DE207CB5ABD61808F | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Program Files\kos1\kos1\Languages\es.lng | xml | |
MD5:2BFD369A8B75B7BF49919A4420E52062 | SHA256:918A82636426A2D696BAD291C40050754F1492D51A51337D6CF871DD75E53C44 | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Program Files\kos1\kos1\Languages\hy-AM.lng | xml | |
MD5:6AE7CA65BE2EEEC1EB5474B1CED25552 | SHA256:08BEC6122B7376D93EC6BA2AD3A240C98DC6E6158C01586E4017EA5E486A9588 | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Program Files\kos1\kos1\digi1007_kos1_6cr11.exe | executable | |
MD5:6BAB55CE6739B193BAD64CE4C9DC32B1 | SHA256:DCEF36BAC785A03A5D9AAEBA50E97027BD7A8E1C35C75578FD73F2485E811ABE | |||
3516 | 396a0145a594e4f81dd61a370cd82d1c.exe | C:\Program Files\kos1\kos1\Core Temp.exe | executable | |
MD5:ACE98555C0D4A336AF18B5402078F21F | SHA256:7A0E3FCD8A8C9A703277077AB59BB75F33B1421CD78C8270CC2A0533F9E2E3C9 |