File name:	file
Full analysis:	https://app.any.run/tasks/999810aa-492a-49a5-8d52-2c0fbd8e6b53
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	December 05, 2022, 21:04:15
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	installer trojan loader gcleaner stealer vidar amadey
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:	95EF39D083A9FC080782CB3D1D865097
SHA1:	3B01362E4510FC738740E6FDA55BCCA7164A57E1
SHA256:	1552C2A4369C9E5AD1BE0F7C06A09BF7EA806E2D5BFB724A1E939E1DEFC1608F
SSDEEP:	98304:Qc66ZjzwseTpfmY2TNAq/A6VTuFdIxIs98zNY2IUE/ycY/K:B7jzx+FaAq/ZAFd7s98CbUeycY/K

.exe	\|	Inno Setup installer (82.8)
.exe	\|	Win32 Executable Delphi generic (10.7)
.exe	\|	Win32 Executable (generic) (3.4)
.exe	\|	Generic Win/DOS Executable (1.5)
.exe	\|	DOS Executable Generic (1.5)

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	1992-Jun-19 22:22:17
Detected languages:	English - United States
Comments:	This installation was built with Inno Setup: http://www.innosetup.com
CompanyName:	-
FileDescription:	PrintFolders Setup
FileVersion:	-
InternalName:	-
OriginalFilename:	-
ProductName:	-
ProductVersion:	-

e_magic:	MZ
e_cblp:	80
e_cp:	2
e_crlc:	-
e_cparhdr:	4
e_minalloc:	15
e_maxalloc:	65535
e_ss:	-
e_sp:	184
e_csum:	-
e_ip:	-
e_cs:	-
e_ovno:	26
e_oemid:	-
e_oeminfo:	-
e_lfanew:	256

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
NumberofSections:	8
TimeDateStamp:	1992-Jun-19 22:22:17
PointerToSymbolTable:	-
NumberOfSymbols:	-
SizeOfOptionalHeader:	224
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_BYTES_REVERSED_HI IMAGE_FILE_BYTES_REVERSED_LO IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
CODE	4096	36352	36352	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.60044
DATA	40960	584	1024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.72043
BSS	45056	3684	0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	49152	2248	2560	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.2508
.tls	53248	8	0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	57344	24	512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED	0.199108
.reloc	61440	2156	0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc	65536	167124	167424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED	5.27927

Title	Entropy	Size	Codepage	Language	Type
1	5.39383	1128	Latin 1 / Western European	English - United States	RT_ICON
2	5.94971	2440	Latin 1 / Western European	English - United States	RT_ICON
3	5.5357	4264	Latin 1 / Western European	English - United States	RT_ICON
4	5.48577	9640	Latin 1 / Western European	English - United States	RT_ICON
5	5.25469	16936	Latin 1 / Western European	English - United States	RT_ICON
6	5.46372	21640	Latin 1 / Western European	English - United States	RT_ICON
7	5.3545	38056	Latin 1 / Western European	English - United States	RT_ICON
8	4.90318	67624	Latin 1 / Western European	English - United States	RT_ICON
4089	3.21823	754	Latin 1 / Western European	UNKNOWN	RT_STRING
4090	3.31515	780	Latin 1 / Western European	UNKNOWN	RT_STRING


(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_CURRENT_USER\Software\Atzpoint Software\PrintFolders
Operation:	write	Name:	Language
Value: eng
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 5.1.2-beta
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files\PrintFolders
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files\PrintFolders\
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: PrintFolders
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	DisplayName
Value: PrintFolders 3.100
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\PrintFolders\PrintFolders.exe
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\PrintFolders\unins000.exe"
(PID) Process:	(2320) is-VARHN.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:	write	Name:	QuietUninstallString
Value: "C:\Program Files\PrintFolders\unins000.exe" /SILENT

PID	Process	Filename		Type
2320	is-VARHN.tmp	C:\Program Files\PrintFolders\is-89NO2.tmp		—
		MD5:—	SHA256:—
2320	is-VARHN.tmp	C:\Program Files\PrintFolders\PrintFolders.exe		—
		MD5:—	SHA256:—
2480	PrintFolders.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ping[1].htm		text
		MD5:064DB2A4C3D31A4DC6AA2538F3FE7377	SHA256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
2480	PrintFolders.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fuckingdllENCR[1].dll		binary
		MD5:418619EA97671304AF80EC60F5A50B62	SHA256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
2320	is-VARHN.tmp	C:\Program Files\PrintFolders\unins000.dat		dat
		MD5:E8B5D479FBD509F6CCDC576C0F90E448	SHA256:8F93E74415B4576D5F3EB8C479B1842D1CA8E36B3F30A7B1DA5A77004389F1F2
2320	is-VARHN.tmp	C:\Program Files\PrintFolders\unins000.exe		executable
		MD5:BCD1868E95254F9531A7FF38461C0D72	SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C
2320	is-VARHN.tmp	C:\Program Files\PrintFolders\is-7ON5D.tmp		executable
		MD5:BCD1868E95254F9531A7FF38461C0D72	SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C
3672	file.exe	C:\Users\admin\AppData\Local\Temp\is-VV33G.tmp\is-VARHN.tmp		executable
		MD5:10C841B0221D6870DE7C951EAF5B1DA9	SHA256:4252858D9C6D8D55F829D7E418EA8357FD26FBDF8C0FCE1FED23A8C720A8807E
2480	PrintFolders.exe	C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\dD1n0sRRNe.exe		executable
		MD5:3FB36CB0B7172E5298D2992D42984D06	SHA256:27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
2320	is-VARHN.tmp	C:\Users\admin\AppData\Local\Temp\is-EDNF5.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2480	PrintFolders.exe	GET	200	107.182.129.235:80	http://107.182.129.235/storage/ping.php	US	text	17 b	malicious
2480	PrintFolders.exe	GET	200	107.182.129.235:80	http://107.182.129.235/storage/extension.php	US	binary	92.0 Kb	malicious
2480	PrintFolders.exe	GET	200	171.22.30.106:80	http://171.22.30.106/library.php	GB	executable	615 Kb	malicious
3884	VSEa235z.exe	GET	200	195.201.250.87:80	http://195.201.250.87/update.zip	DE	compressed	3.47 Mb	malicious
2480	PrintFolders.exe	GET	200	171.22.30.106:80	http://171.22.30.106/library.php	GB	executable	386 Kb	malicious
2480	PrintFolders.exe	GET	200	171.22.30.106:80	http://171.22.30.106/library.php	GB	executable	3.78 Mb	malicious
3884	VSEa235z.exe	GET	200	195.201.250.87:80	http://195.201.250.87/1787	DE	text	110 b	malicious
2480	PrintFolders.exe	GET	200	171.22.30.106:80	http://171.22.30.106/library.php	GB	executable	260 Kb	malicious
1492	rundll32.exe	POST	200	77.73.133.72:80	http://77.73.133.72/hfk3vK9/index.php	KZ	—	—	malicious
1988	gntuud.exe	GET	200	77.73.133.72:80	http://77.73.133.72/hfk3vK9/Plugins/cred.dll	KZ	executable	126 Kb	malicious


advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)

Domain	IP	Reputation
t.me	149.154.167.99	whitelisted
ctldl.windowsupdate.com	8.248.149.254 8.248.143.254 8.248.113.254 8.248.119.254 8.248.117.254	whitelisted
ocsp.godaddy.com	192.124.249.22 192.124.249.23 192.124.249.24 192.124.249.36 192.124.249.41	whitelisted

PID	Process	Class	Message
2480	PrintFolders.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 9
2480	PrintFolders.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2480	PrintFolders.exe	Potentially Bad Traffic	ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2480	PrintFolders.exe	Misc activity	ET INFO EXE - Served Attached HTTP
2480	PrintFolders.exe	Misc activity	ET INFO Packed Executable Download
2480	PrintFolders.exe	Potentially Bad Traffic	ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2480	PrintFolders.exe	Misc activity	ET INFO EXE - Served Attached HTTP
3884	VSEa235z.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host ZIP Request
3884	VSEa235z.exe	A Network Trojan was detected	ET TROJAN Arkei/Vidar/Mars Stealer Variant
2480	PrintFolders.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

file

95EF39D083A9FC080782CB3D1D865097

3B01362E4510FC738740E6FDA55BCCA7164A57E1

1552C2A4369C9E5AD1BE0F7C06A09BF7EA806E2D5BFB724A1E939E1DEFC1608F

98304:Qc66ZjzwseTpfmY2TNAq/A6VTuFdIxIs98zNY2IUE/ycY/K:B7jzx+FaAq/ZAFd7s98CbUeycY/K

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

G-cleaner network activity is detected

Application was dropped or rewritten from another process

Steals credentials from Web Browsers

VIDAR was detected

Loads dropped or rewritten executable

Changes the autorun value in the registry

Changes the Startup folder

Uses Task Scheduler to run other applications

Loads the Task Scheduler COM API

AMADEY was detected

SUSPICIOUS

Reads the Internet Settings

Reads Microsoft Outlook installation path

Executable content was dropped or overwritten

Drops a file with too old compile date

Reads the Windows owner or organization settings

Creates a directory in Program Files

Connects to the server without a host name

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Reads settings of System Certificates

Reads browser cookies

Starts CMD.EXE for commands execution

Searches for installed software

Starts CMD.EXE for self-deleting

Starts itself from another location

Uses TASKKILL.EXE to kill process

Executes via Task Scheduler

Uses TASKKILL.EXE to terminate process

Uses RUNDLL32.EXE to load library

Process requests binary or script from the Internet

INFO

Checks proxy server information

Checks supported languages

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

Reads the computer name

Drops a file that was compiled in debug mode

Creates a software uninstall entry

Creates a file in a temporary directory

Creates files in the program directory

Reads Environment values

Reads product name

Reads CPU info

Reads the CPU's name

Malware configuration

Static information

TRiD

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules