Malware analysis file Malicious activity | ANY.RUN

Add for printing

File name:	file
Full analysis:	https://app.any.run/tasks/d8e6a225-5a22-4013-9a22-18328da94e2b
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	October 29, 2023, 03:19:19
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	sinkhole stealc stealer redline amadey botnet trojan opendir loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	136459F311ACCC08F70FE00E6BEC6378
SHA1:	789413255DE469464533AEFA13F16D6E7760E613
SHA256:	31111863184999972398BD14DF902DC5F24DAE8549B4B734C6981501ECB0EFA9
SSDEEP:	49152:TLnemILvLHFbLnZbAcYs6CpHhfTGw1wCVCirPfiBZyORbfUjIRO/0oOZAUxYbIki:3n2lbVAcYdCpb110QnirdoEq0oO9xYba

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - file.exe (PID: 2888)
  - Ow4wA70.exe (PID: 1940)
  - IT0Ly77.exe (PID: 364)
  - gW5TR58.exe (PID: 2468)
  - Hq1zX35.exe (PID: 2664)
  - TR3lo51.exe (PID: 1396)
  - 5ov7wg4.exe (PID: 2976)
  - explothe.exe (PID: 1672)
- Application was dropped or rewritten from another process
  - TR3lo51.exe (PID: 1396)
  - Hq1zX35.exe (PID: 2664)
  - Ow4wA70.exe (PID: 1940)
  - gW5TR58.exe (PID: 2468)
  - 1ZP91Zr6.exe (PID: 2956)
  - 2yk4815.exe (PID: 2732)
  - IT0Ly77.exe (PID: 364)
  - 3Cf94ju.exe (PID: 2640)
  - 4pC480gz.exe (PID: 2772)
  - 5ov7wg4.exe (PID: 2976)
  - explothe.exe (PID: 1672)
  - 6QD0YC9.exe (PID: 2852)
  - 7Ux4YS34.exe (PID: 3060)
  - explothe.exe (PID: 4072)
  - explothe.exe (PID: 3000)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- STEALC has been detected (SURICATA)
  - AppLaunch.exe (PID: 2080)
- Connects to the CnC server
  - AppLaunch.exe (PID: 2080)
  - explothe.exe (PID: 1672)
  - AppLaunch.exe (PID: 2572)
- Runs injected code in another process
  - 3Cf94ju.exe (PID: 2640)
- Changes the autorun value in the registry
  - explothe.exe (PID: 1672)
- Uses Task Scheduler to run other applications
  - explothe.exe (PID: 1672)
- AMADEY has been detected (SURICATA)
  - explothe.exe (PID: 1672)
- REDLINE has been detected (SURICATA)
  - AppLaunch.exe (PID: 2572)
- Steals credentials from Web Browsers
  - AppLaunch.exe (PID: 2572)
- Actions looks like stealing of personal data
  - AppLaunch.exe (PID: 2572)
- AMADEY has been detected (YARA)
  - explothe.exe (PID: 1672)
- Loads dropped or rewritten executable
  - rundll32.exe (PID: 2268)
SUSPICIOUS
- Process drops legitimate windows executable
  - Ow4wA70.exe (PID: 1940)
  - gW5TR58.exe (PID: 2468)
  - IT0Ly77.exe (PID: 364)
  - Hq1zX35.exe (PID: 2664)
  - file.exe (PID: 2888)
- Reads the Internet Settings
  - AppLaunch.exe (PID: 2080)
  - 5ov7wg4.exe (PID: 2976)
  - 6QD0YC9.exe (PID: 2852)
  - explothe.exe (PID: 1672)
  - cmd.exe (PID: 2536)
- Connects to the server without a host name
  - AppLaunch.exe (PID: 2080)
  - 6QD0YC9.exe (PID: 2852)
  - explothe.exe (PID: 1672)
  - explorer.exe (PID: 1944)
- Starts itself from another location
  - 5ov7wg4.exe (PID: 2976)
- Starts CMD.EXE for commands execution
  - explothe.exe (PID: 1672)
  - cmd.exe (PID: 2648)
  - 7Ux4YS34.exe (PID: 3060)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 2648)
- Application launched itself
  - cmd.exe (PID: 2648)
- Executing commands from a ".bat" file
  - 7Ux4YS34.exe (PID: 3060)
- Searches for installed software
  - AppLaunch.exe (PID: 2572)
- The process executes via Task Scheduler
  - explothe.exe (PID: 4072)
  - explothe.exe (PID: 3000)
- Connects to unusual port
  - AppLaunch.exe (PID: 2572)
- Process requests binary or script from the Internet
  - explothe.exe (PID: 1672)
- Reads browser cookies
  - AppLaunch.exe (PID: 2572)
INFO
- Create files in a temporary directory
  - file.exe (PID: 2888)
  - IT0Ly77.exe (PID: 364)
  - gW5TR58.exe (PID: 2468)
  - TR3lo51.exe (PID: 1396)
  - Hq1zX35.exe (PID: 2664)
  - 5ov7wg4.exe (PID: 2976)
  - 7Ux4YS34.exe (PID: 3060)
  - Ow4wA70.exe (PID: 1940)
- Checks supported languages
  - file.exe (PID: 2888)
  - Ow4wA70.exe (PID: 1940)
  - IT0Ly77.exe (PID: 364)
  - Hq1zX35.exe (PID: 2664)
  - TR3lo51.exe (PID: 1396)
  - 1ZP91Zr6.exe (PID: 2956)
  - AppLaunch.exe (PID: 2832)
  - 2yk4815.exe (PID: 2732)
  - AppLaunch.exe (PID: 2080)
  - 3Cf94ju.exe (PID: 2640)
  - AppLaunch.exe (PID: 2572)
  - 5ov7wg4.exe (PID: 2976)
  - 4pC480gz.exe (PID: 2772)
  - explothe.exe (PID: 1672)
  - 6QD0YC9.exe (PID: 2852)
  - 7Ux4YS34.exe (PID: 3060)
  - gW5TR58.exe (PID: 2468)
  - explothe.exe (PID: 4072)
  - explothe.exe (PID: 3000)
- Reads the computer name
  - AppLaunch.exe (PID: 2832)
  - AppLaunch.exe (PID: 2080)
  - AppLaunch.exe (PID: 2572)
  - 5ov7wg4.exe (PID: 2976)
  - 6QD0YC9.exe (PID: 2852)
  - explothe.exe (PID: 1672)
- Reads the machine GUID from the registry
  - AppLaunch.exe (PID: 2080)
  - 6QD0YC9.exe (PID: 2852)
  - AppLaunch.exe (PID: 2572)
  - explothe.exe (PID: 1672)
- Checks proxy server information
  - AppLaunch.exe (PID: 2080)
  - 6QD0YC9.exe (PID: 2852)
  - explothe.exe (PID: 1672)
- Reads Environment values
  - AppLaunch.exe (PID: 2572)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)
- Creates files or folders in the user directory
  - explothe.exe (PID: 1672)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(1672) explothe.exe

C2 (1)http://77.91.124.1

Version3.89

Options

Drop directoryS-%lu-

Drop name%-lu

Strings (120)-%lu

fefffe8cea

explothe.exe

SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

shutdown -s -t 0

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:25 00:49:06+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	1592832
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

364

C:\Users\admin\AppData\Local\Temp\IXP002.TMP\IT0Ly77.exe

—

gW5TR58.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

11.00.17763.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\ixp002.tmp\it0ly77.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

392

"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform/

C:\Program Files\Internet Explorer\iexplore.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll

640

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:267521 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64.dll

776

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:267521 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\msvcrt.dll

1396

C:\Users\admin\AppData\Local\Temp\IXP004.TMP\TR3lo51.exe

—

Hq1zX35.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

11.00.17763.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\ixp004.tmp\tr3lo51.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1408

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\msvcrt.dll

1456

CACLS "..\fefffe8cea" /P "admin:N"

C:\Windows\SysWOW64\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Control ACLs Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\cacls.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1580

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\schtasks.exe

—

explothe.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1628

CACLS "..\fefffe8cea" /P "admin:R" /E

C:\Windows\SysWOW64\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Control ACLs Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\kernel32.dll

1672

"C:\Users\admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\admin\AppData\Local\Temp\fefffe8cea\explothe.exe

5ov7wg4.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\fefffe8cea\explothe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\version.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll

Amadey

(PID) Process(1672) explothe.exe

C2 (1)http://77.91.124.1

Version3.89

Options

Drop directoryS-%lu-

Drop name%-lu

Strings (120)-%lu

fefffe8cea

explothe.exe

SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

shutdown -s -t 0

Add for printing

Total events

28 526

Read events

28 012

Write events

513

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A00000000020000000000106600000001000020000000AED9F7A034803824C8B1E828E6ACF7A63C03C62037EFED43278AD26DABE640A1000000000E8000000002000020000000AB5403F7CEBF10DFE341ABEBBEE1A84444EBC55972843D61F9FD20F3F0EABE92B0000000FC067D59D0357C58872FB611AE92F67CAF2B1FDF280A6E076A7077808FDF9D6902A616185711F2BC394A2B6D44B08968CB658980494D87797413D932F0415C59BCEE2F408C91017ECA1A09CFF46B78A1DDEB7B1A1E3900CE68E46CBA92E3449C11FF6689058BD2FEA4CC617DA5D154EC67F4E85B3C7D41EDD704426CE486FED6952A1CDA27E0F58502A85DA834FC59F375E4A11757B352567CADFEF8F2BB497E437086EEA56B957D31DAA98C7F678CCB4000000048300250278A78A5D4898CA43F5197F9B50DF81CBC35B6CAA716E6F42642EECD0299AF2C0B69703D12B9CACBDB5AD7A7001D20D662BA32D05CD6D99A1234653A
(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(2080) AppLaunch.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2080) AppLaunch.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2080) AppLaunch.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2080) AppLaunch.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000C1000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1944) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2976) 5ov7wg4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2976) 5ov7wg4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2976) 5ov7wg4.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

Suspicious files

Text files

200

Unknown types

Dropped files

PID	Process	Filename		Type
2468	gW5TR58.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\IT0Ly77.exe		executable
		MD5:75B2E505089300F947E09F06CC295418	SHA256:E0D726B76510FF42E024AB3A2B20887059AB15C71AAFF190A2E6C05AA6CB62D6
1396	TR3lo51.exe	C:\Users\admin\AppData\Local\Temp\IXP005.TMP\1ZP91Zr6.exe		executable
		MD5:5B6F3266B8877494F3255B7A91AF9E61	SHA256:55B44C68D1F3912FB16090A4266DAF02A158FB9D5B4FC3AE9693291369D0E824
640	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\LS1INGKZ.txt		text
		MD5:63CB3DEEB5E48DCD2CA7A7FBF7C3B1D2	SHA256:69DB4AD1187F7726157390CA865A86BE6B06F7A43C023FDC98BFD8E909C5157C
2468	gW5TR58.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\5ov7wg4.exe		executable
		MD5:B61A70CFB2A3F0E6F72F51B297AC2624	SHA256:B1635BA27455CB073D74E42A0592E4454C18231F85F5D725C135AA1D0009CA20
2664	Hq1zX35.exe	C:\Users\admin\AppData\Local\Temp\IXP004.TMP\TR3lo51.exe		executable
		MD5:43EAF2836901B0525C2E4D9F534F06C2	SHA256:D942D56305FFE4974A33D5CD8ABA65CAF3C93B5AE511E648C1FB68C2587D9DBB
2432	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\3ABCKJSC.htm		compressed
		MD5:6513F088E84154055863FECBE5C13A4A	SHA256:EB5ECFE20A6DB8B760E473F56AD0F833D4EEE9584B2B04A23783CAB2D5388C06
640	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\SS0A7707.htm		compressed
		MD5:6513F088E84154055863FECBE5C13A4A	SHA256:EB5ECFE20A6DB8B760E473F56AD0F833D4EEE9584B2B04A23783CAB2D5388C06
364	IT0Ly77.exe	C:\Users\admin\AppData\Local\Temp\IXP003.TMP\4pC480gz.exe		executable
		MD5:F5E6409F97672BF2A8C9CB356CB36F65	SHA256:FD8FC672D5B3C78CF982013B49A2CD8E0D89F61FD024B6F0E72337A16297CA1F
2976	5ov7wg4.exe	C:\Users\admin\AppData\Local\Temp\fefffe8cea\explothe.exe		executable
		MD5:B61A70CFB2A3F0E6F72F51B297AC2624	SHA256:B1635BA27455CB073D74E42A0592E4454C18231F85F5D725C135AA1D0009CA20
2888	file.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\7Ux4YS34.exe		executable
		MD5:AA33A196C9AA646054C32AF54C83C16B	SHA256:625B198792C5255751460A1C26CAE23BC994A3C3EDA86E1CC850FE4D611752DB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

154

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1672	explothe.exe	POST	200	77.91.124.1:80	http://77.91.124.1/theme/index.php	unknown	text	6 b	unknown
1944	explorer.exe	POST	404	77.91.68.29:80	http://77.91.68.29/fks/	unknown	binary	7 b	unknown
2080	AppLaunch.exe	POST	200	193.233.255.73:80	http://193.233.255.73/loghub/master	unknown	text	8 b	unknown
2852	6QD0YC9.exe	POST	200	193.233.255.73:80	http://193.233.255.73/loghub/master	unknown	text	8 b	unknown
1672	explothe.exe	GET	200	77.91.124.1:80	http://77.91.124.1/theme/Plugins/clip64.dll	unknown	executable	89.0 Kb	unknown
1672	explothe.exe	GET	404	77.91.124.1:80	http://77.91.124.1/theme/Plugins/cred64.dll	unknown	html	273 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2080	AppLaunch.exe	193.233.255.73:80	—	LLC Baxet	RU	malicious
2852	6QD0YC9.exe	193.233.255.73:80	—	LLC Baxet	RU	malicious
2572	AppLaunch.exe	77.91.124.86:19084	—	Foton Telecom CJSC	RU	malicious
1672	explothe.exe	77.91.124.1:80	—	Foton Telecom CJSC	RU	unknown
2432	iexplore.exe	142.250.74.205:443	accounts.google.com	GOOGLE	US	whitelisted
2432	iexplore.exe	142.250.186.163:443	www.gstatic.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
accounts.google.com	142.250.74.205	shared
www.facebook.com	157.240.234.35	whitelisted
store.steampowered.com	23.35.228.101	whitelisted
twitter.com	104.244.42.193	whitelisted
www.paypal.com	151.101.1.21 151.101.65.21 151.101.129.21 151.101.193.21	whitelisted
www.epicgames.com	75.101.208.230 34.206.130.105 3.214.39.91 52.204.190.22 44.220.8.27 34.199.229.22 44.216.163.13 18.214.77.161	whitelisted
steamcommunity.com	23.212.216.106	whitelisted
www.gstatic.com	142.250.186.163	whitelisted
www.youtube.com	142.250.186.78 142.250.186.110 142.250.186.142 142.250.74.206 142.250.186.46 172.217.18.14 172.217.16.206 142.250.186.174 142.250.184.206 216.58.212.174 216.58.212.142 142.250.185.78 216.58.206.46 142.250.185.110 142.250.185.142 142.250.185.174	whitelisted
fonts.gstatic.com	142.250.184.227	whitelisted

Threats

PID	Process	Class	Message
2080	AppLaunch.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
2080	AppLaunch.exe	Potentially Bad Traffic	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2080	AppLaunch.exe	A Network Trojan was detected	STEALER [ANY.RUN] Win32/Stealc (Check-In)
2572	AppLaunch.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
2572	AppLaunch.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2572	AppLaunch.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
2572	AppLaunch.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC - Id1Response
1672	explothe.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Check-In
1672	explothe.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Bot Activity (POST) M2
1672	explothe.exe	A Network Trojan was detected	AV TROJAN Agent.DHOA System Info Exfiltration

Add for printing

No debug info

General Info

file

136459F311ACCC08F70FE00E6BEC6378

789413255DE469464533AEFA13F16D6E7760E613

31111863184999972398BD14DF902DC5F24DAE8549B4B734C6981501ECB0EFA9

49152:TLnemILvLHFbLnZbAcYs6CpHhfTGw1wCVCirPfiBZyORbfUjIRO/0oOZAUxYbIki:3n2lbVAcYdCpb110QnirdoEq0oO9xYba

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Application was dropped or rewritten from another process

Application was injected by another process

STEALC has been detected (SURICATA)

Connects to the CnC server

Runs injected code in another process

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

AMADEY has been detected (SURICATA)

REDLINE has been detected (SURICATA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

AMADEY has been detected (YARA)

Loads dropped or rewritten executable

SUSPICIOUS

Process drops legitimate windows executable

Reads the Internet Settings

Connects to the server without a host name

Starts itself from another location

Starts CMD.EXE for commands execution

Uses ICACLS.EXE to modify access control lists

Application launched itself

Executing commands from a ".bat" file

Searches for installed software

The process executes via Task Scheduler

Connects to unusual port

Process requests binary or script from the Internet

Reads browser cookies

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Reads Environment values

Reads the Internet Settings

Creates files or folders in the user directory

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration