analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

file

Full analysis: https://app.any.run/tasks/999810aa-492a-49a5-8d52-2c0fbd8e6b53
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: December 05, 2022, 21:04:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
loader
gcleaner
stealer
vidar
amadey
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

95EF39D083A9FC080782CB3D1D865097

SHA1:

3B01362E4510FC738740E6FDA55BCCA7164A57E1

SHA256:

1552C2A4369C9E5AD1BE0F7C06A09BF7EA806E2D5BFB724A1E939E1DEFC1608F

SSDEEP:

98304:Qc66ZjzwseTpfmY2TNAq/A6VTuFdIxIs98zNY2IUE/ycY/K:B7jzx+FaAq/ZAFd7s98CbUeycY/K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • is-VARHN.tmp (PID: 2320)
      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
      • gntuud.exe (PID: 1988)
    • Application was dropped or rewritten from another process

      • dD1n0sRRNe.exe (PID: 3136)
      • VSEa235z.exe (PID: 3884)
      • QhpTBV.exe (PID: 2976)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
      • gntuud.exe (PID: 2360)
      • gntuud.exe (PID: 572)
    • G-cleaner network activity is detected

      • PrintFolders.exe (PID: 2480)
    • Steals credentials from Web Browsers

      • VSEa235z.exe (PID: 3884)
    • VIDAR was detected

      • VSEa235z.exe (PID: 3884)
    • Loads dropped or rewritten executable

      • VSEa235z.exe (PID: 3884)
      • rundll32.exe (PID: 1492)
    • Changes the Startup folder

      • gntuud.exe (PID: 1988)
    • Changes the autorun value in the registry

      • gntuud.exe (PID: 1988)
    • Uses Task Scheduler to run other applications

      • gntuud.exe (PID: 1988)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3072)
    • AMADEY was detected

      • gntuud.exe (PID: 1988)
  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • is-VARHN.tmp (PID: 2320)
    • Creates a directory in Program Files

      • is-VARHN.tmp (PID: 2320)
    • Drops a file with too old compile date

      • is-VARHN.tmp (PID: 2320)
      • gntuud.exe (PID: 1988)
    • Executable content was dropped or overwritten

      • is-VARHN.tmp (PID: 2320)
      • VSEa235z.exe (PID: 3884)
      • PrintFolders.exe (PID: 2480)
      • gntuud.exe (PID: 1988)
    • Reads the Internet Settings

      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
    • Reads Microsoft Outlook installation path

      • PrintFolders.exe (PID: 2480)
    • Connects to the server without a host name

      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
      • rundll32.exe (PID: 1492)
      • gntuud.exe (PID: 1988)
    • Checks Windows Trust Settings

      • VSEa235z.exe (PID: 3884)
    • Reads settings of System Certificates

      • VSEa235z.exe (PID: 3884)
    • Reads security settings of Internet Explorer

      • VSEa235z.exe (PID: 3884)
    • Reads browser cookies

      • VSEa235z.exe (PID: 3884)
    • Searches for installed software

      • VSEa235z.exe (PID: 3884)
    • Starts CMD.EXE for commands execution

      • VSEa235z.exe (PID: 3884)
      • PrintFolders.exe (PID: 2480)
    • Starts CMD.EXE for self-deleting

      • VSEa235z.exe (PID: 3884)
    • Starts itself from another location

      • F1UZOpP.exe (PID: 452)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4024)
    • Uses TASKKILL.EXE to terminate process

      • cmd.exe (PID: 4024)
    • Executes via Task Scheduler

      • gntuud.exe (PID: 2360)
      • gntuud.exe (PID: 572)
    • Uses RUNDLL32.EXE to load library

      • gntuud.exe (PID: 1988)
    • Process requests binary or script from the Internet

      • gntuud.exe (PID: 1988)
  • INFO

    • Checks supported languages

      • file.exe (PID: 3672)
      • is-VARHN.tmp (PID: 2320)
      • PrintFolders.exe (PID: 2480)
      • dD1n0sRRNe.exe (PID: 3136)
      • VSEa235z.exe (PID: 3884)
      • QhpTBV.exe (PID: 2976)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
      • gntuud.exe (PID: 2360)
      • gntuud.exe (PID: 572)
    • Reads the computer name

      • is-VARHN.tmp (PID: 2320)
      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
    • Creates a file in a temporary directory

      • is-VARHN.tmp (PID: 2320)
      • file.exe (PID: 3672)
      • F1UZOpP.exe (PID: 452)
      • gntuud.exe (PID: 1988)
    • Creates files in the program directory

      • is-VARHN.tmp (PID: 2320)
      • VSEa235z.exe (PID: 3884)
    • Creates a software uninstall entry

      • is-VARHN.tmp (PID: 2320)
    • Drops a file that was compiled in debug mode

      • is-VARHN.tmp (PID: 2320)
      • VSEa235z.exe (PID: 3884)
      • PrintFolders.exe (PID: 2480)
    • Loads dropped or rewritten executable

      • is-VARHN.tmp (PID: 2320)
    • Application was dropped or rewritten from another process

      • is-VARHN.tmp (PID: 2320)
    • Checks proxy server information

      • PrintFolders.exe (PID: 2480)
      • VSEa235z.exe (PID: 3884)
      • gntuud.exe (PID: 1988)
    • Reads Environment values

      • VSEa235z.exe (PID: 3884)
    • Reads CPU info

      • VSEa235z.exe (PID: 3884)
    • Reads product name

      • VSEa235z.exe (PID: 3884)
    • Reads the CPU's name

      • VSEa235z.exe (PID: 3884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName: -
FileDescription: PrintFolders Setup
FileVersion: -
InternalName: -
OriginalFilename: -
ProductName: -
ProductVersion: -

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
36352
36352
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60044
DATA
40960
584
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.72043
BSS
45056
3684
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
49152
2248
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.2508
.tls
53248
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
57344
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.199108
.reloc
61440
2156
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
65536
167124
167424
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.27927

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.39383
1128
Latin 1 / Western European
English - United States
RT_ICON
2
5.94971
2440
Latin 1 / Western European
English - United States
RT_ICON
3
5.5357
4264
Latin 1 / Western European
English - United States
RT_ICON
4
5.48577
9640
Latin 1 / Western European
English - United States
RT_ICON
5
5.25469
16936
Latin 1 / Western European
English - United States
RT_ICON
6
5.46372
21640
Latin 1 / Western European
English - United States
RT_ICON
7
5.3545
38056
Latin 1 / Western European
English - United States
RT_ICON
8
4.90318
67624
Latin 1 / Western European
English - United States
RT_ICON
4089
3.21823
754
Latin 1 / Western European
UNKNOWN
RT_STRING
4090
3.31515
780
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
17
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start file.exe no specs file.exe is-varhn.tmp #GCLEANER printfolders.exe dd1n0srrne.exe no specs #VIDAR vsea235z.exe qhptbv.exe cmd.exe no specs timeout.exe no specs f1uzopp.exe no specs #AMADEY gntuud.exe schtasks.exe no specs cmd.exe no specs taskkill.exe no specs gntuud.exe no specs rundll32.exe gntuud.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
868"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
PrintFolders Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
3672"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Integrity Level:
HIGH
Description:
PrintFolders Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
2320"C:\Users\admin\AppData\Local\Temp\is-VV33G.tmp\is-VARHN.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\file.exe" 3620208 208896 C:\Users\admin\AppData\Local\Temp\is-VV33G.tmp\is-VARHN.tmp
file.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.42.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vv33g.tmp\is-varhn.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2480"C:\Program Files\PrintFolders\PrintFolders.exe" C:\Program Files\PrintFolders\PrintFolders.exe
is-VARHN.tmp
User:
admin
Company:
Atr Software
Integrity Level:
HIGH
Description:
Data Recovery
Exit code:
0
Version:
1.2.3.100
Modules
Images
c:\program files\printfolders\printfolders.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3136 C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\dD1n0sRRNe.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\dd1n0srrne.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
3884"C:\Users\admin\AppData\Roaming\D6LN0UJr\VSEa235z.exe"C:\Users\admin\AppData\Roaming\D6LN0UJr\VSEa235z.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\d6ln0ujr\vsea235z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
2976"C:\Users\admin\AppData\Roaming\mSew0ZgmvL\QhpTBV.exe"C:\Users\admin\AppData\Roaming\mSew0ZgmvL\QhpTBV.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\msew0zgmvl\qhptbv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
3636"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\admin\AppData\Roaming\D6LN0UJr\VSEa235z.exe" & exitC:\Windows\System32\cmd.exeVSEa235z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3216timeout /t 6 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
452"C:\Users\admin\AppData\Roaming\CopPeGpAA6P\F1UZOpP.exe"C:\Users\admin\AppData\Roaming\CopPeGpAA6P\F1UZOpP.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\coppegpaa6p\f1uzopp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
Total events
9 082
Read events
8 969
Write events
111
Delete events
2

Modification events

(PID) Process:(2320) is-VARHN.tmpKey:HKEY_CURRENT_USER\Software\Atzpoint Software\PrintFolders
Operation:writeName:Language
Value:
eng
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.1.2-beta
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\PrintFolders
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\PrintFolders\
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
PrintFolders
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayName
Value:
PrintFolders 3.100
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PrintFolders\PrintFolders.exe
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe"
(PID) Process:(2320) is-VARHN.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe" /SILENT
Executable files
25
Suspicious files
10
Text files
7
Unknown types
14

Dropped files

PID
Process
Filename
Type
2320is-VARHN.tmpC:\Program Files\PrintFolders\is-89NO2.tmp
MD5:
SHA256:
2320is-VARHN.tmpC:\Program Files\PrintFolders\PrintFolders.exe
MD5:
SHA256:
2480PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ping[1].htmtext
MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
SHA256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
2320is-VARHN.tmpC:\Program Files\PrintFolders\unins000.exeexecutable
MD5:BCD1868E95254F9531A7FF38461C0D72
SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C
2480PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MIXTWO[1].fileexecutable
MD5:82FFD848564AC867037CED13F3A90254
SHA256:6FA59F3A7612D254EF4DB1E1474A234421B590CDF856CDA134411EC0E9BF697B
3672file.exeC:\Users\admin\AppData\Local\Temp\is-VV33G.tmp\is-VARHN.tmpexecutable
MD5:10C841B0221D6870DE7C951EAF5B1DA9
SHA256:4252858D9C6D8D55F829D7E418EA8357FD26FBDF8C0FCE1FED23A8C720A8807E
2320is-VARHN.tmpC:\Program Files\PrintFolders\is-7ON5D.tmpexecutable
MD5:BCD1868E95254F9531A7FF38461C0D72
SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C
2320is-VARHN.tmpC:\Program Files\PrintFolders\Guide.chmchm
MD5:204A5BF160646F9A55ED70AB6E1A07A6
SHA256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
2320is-VARHN.tmpC:\Users\admin\AppData\Local\Temp\is-EDNF5.tmp\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
2320is-VARHN.tmpC:\Users\admin\AppData\Local\Temp\is-EDNF5.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
12
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2480
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/extension.php
US
binary
92.0 Kb
malicious
2480
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
3.78 Mb
malicious
2480
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
260 Kb
malicious
3884
VSEa235z.exe
GET
200
195.201.250.87:80
http://195.201.250.87/1787
DE
text
110 b
malicious
2480
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/ping.php
US
text
17 b
malicious
3884
VSEa235z.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2480
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
615 Kb
malicious
3884
VSEa235z.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
2480
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
386 Kb
malicious
3884
VSEa235z.exe
GET
200
195.201.250.87:80
http://195.201.250.87/update.zip
DE
compressed
3.47 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2480
PrintFolders.exe
107.182.129.235:80
Delis LLC
US
malicious
2480
PrintFolders.exe
45.139.105.171:80
Xdeer Limited
BG
malicious
3884
VSEa235z.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious
2480
PrintFolders.exe
171.22.30.106:80
Delis LLC
US
malicious
3884
VSEa235z.exe
8.248.149.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3884
VSEa235z.exe
192.124.249.22:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
1988
gntuud.exe
77.73.133.72:80
Partner LLC
KZ
malicious
3884
VSEa235z.exe
195.201.250.87:80
Hetzner Online GmbH
DE
malicious
1492
rundll32.exe
77.73.133.72:80
Partner LLC
KZ
malicious

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 8.248.149.254
  • 8.248.143.254
  • 8.248.113.254
  • 8.248.119.254
  • 8.248.117.254
whitelisted
ocsp.godaddy.com
  • 192.124.249.22
  • 192.124.249.23
  • 192.124.249.24
  • 192.124.249.36
  • 192.124.249.41
whitelisted

Threats

PID
Process
Class
Message
2480
PrintFolders.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
2480
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2480
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2480
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2480
PrintFolders.exe
Misc activity
ET INFO Packed Executable Download
2480
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2480
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3884
VSEa235z.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
3884
VSEa235z.exe
A Network Trojan was detected
ET TROJAN Arkei/Vidar/Mars Stealer Variant
2480
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2 ETPRO signatures available at the full report
No debug info