Malware analysis file Malicious activity | ANY.RUN

Add for printing

File name:	file
Full analysis:	https://app.any.run/tasks/87f269ef-5f9a-4e9e-a4a9-29bab721775b
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 24, 2024, 06:11:42
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer opendir loader stealc themida autoit
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	5E2F916FB8245EE1A5A54EF88C0552A7
SHA1:	6F58DB34358A0122EFA1961F8EE4F0ABFDC8EF5B
SHA256:	3831464579A25C4C01CB382305511A8033EAC84229B5F5856D7E301230F8A48D
SSDEEP:	98304:5kbm77pemEpT4AAAQrQEqfPgWo2NOJiH2bdd0WyxlgPsuFcyXC3b16v1m9IinR9:Iku

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- AMADEY has been detected (SURICATA)
  - skotes.exe (PID: 1712)
- StealC has been detected
  - df0c7c9393.exe (PID: 2108)
- Changes the autorun value in the registry
  - skotes.exe (PID: 1712)
- AMADEY has been detected (YARA)
  - skotes.exe (PID: 1712)
- Changes powershell execution policy (RemoteSigned)
  - skotes.exe (PID: 1712)
- Starts Visual C# compiler
  - powershell.exe (PID: 4076)
- Connects to the CnC server
  - skotes.exe (PID: 1712)
  - df0c7c9393.exe (PID: 2108)
  - 241f1de3ca.exe (PID: 7272)
- Stealers network behavior
  - 241f1de3ca.exe (PID: 7272)
  - df0c7c9393.exe (PID: 2108)
- STEALC has been detected (SURICATA)
  - 241f1de3ca.exe (PID: 7272)
  - df0c7c9393.exe (PID: 2108)
SUSPICIOUS
- Reads the BIOS version
  - file.exe (PID: 1128)
  - skotes.exe (PID: 1712)
  - df0c7c9393.exe (PID: 2108)
- Reads security settings of Internet Explorer
  - file.exe (PID: 1128)
  - df0c7c9393.exe (PID: 2108)
  - skotes.exe (PID: 1712)
- Executable content was dropped or overwritten
  - file.exe (PID: 1128)
  - skotes.exe (PID: 1712)
  - csc.exe (PID: 8004)
- Starts itself from another location
  - file.exe (PID: 1128)
- Windows Defender mutex has been found
  - df0c7c9393.exe (PID: 2108)
- Connects to the server without a host name
  - skotes.exe (PID: 1712)
- Contacting a server suspected of hosting an CnC
  - skotes.exe (PID: 1712)
  - 241f1de3ca.exe (PID: 7272)
  - df0c7c9393.exe (PID: 2108)
- Starts POWERSHELL.EXE for commands execution
  - skotes.exe (PID: 1712)
- The process executes Powershell scripts
  - skotes.exe (PID: 1712)
- Uses .NET C# to load dll
  - powershell.exe (PID: 4076)
- Potential Corporate Privacy Violation
  - skotes.exe (PID: 1712)
- The process executes via Task Scheduler
  - skotes.exe (PID: 2204)
  - skotes.exe (PID: 6600)
INFO
- Checks supported languages
  - file.exe (PID: 1128)
  - skotes.exe (PID: 1712)
  - df0c7c9393.exe (PID: 2108)
- Reads the computer name
  - file.exe (PID: 1128)
  - skotes.exe (PID: 1712)
  - df0c7c9393.exe (PID: 2108)
- Sends debugging messages
  - file.exe (PID: 1128)
  - skotes.exe (PID: 1712)
  - df0c7c9393.exe (PID: 2108)
- Create files in a temporary directory
  - file.exe (PID: 1128)
  - skotes.exe (PID: 1712)
- The process uses the downloaded file
  - file.exe (PID: 1128)
  - skotes.exe (PID: 1712)
- Process checks computer location settings
  - file.exe (PID: 1128)
  - skotes.exe (PID: 1712)
- Checks proxy server information
  - df0c7c9393.exe (PID: 2108)
  - skotes.exe (PID: 1712)
- Creates files or folders in the user directory
  - df0c7c9393.exe (PID: 2108)
  - skotes.exe (PID: 1712)
- Application launched itself
  - firefox.exe (PID: 6272)
  - firefox.exe (PID: 6832)
  - firefox.exe (PID: 7832)
- Manual execution by a user
  - firefox.exe (PID: 6272)
- Themida protector has been detected
  - skotes.exe (PID: 1712)
- The process uses AutoIt
  - 03a63843b3.exe (PID: 7036)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 6832)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(1712) skotes.exe

C2185.215.113.43

URLhttp://185.215.113.43/Zu7JuNko/index.php

Version4.42

Options

Drop directoryabc3bc1985

Drop nameskotes.exe

Strings (120)VideoID

st=s

id:

" Content-Type: application/octet-stream

2022

exe

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

-unicode-

<d>

Doctor Web

AVG

dll

Main

Norton

" && ren

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

skotes.exe

4.42

&unit=

/Plugins/

cred.dll

ProgramData\

rundll32.exe

cmd

vs:

DefaultSettings.XResolution

random

?scr=1

GetNativeSystemInfo

%-lu

/Zu7JuNko/index.php

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

og:

Powershell.exe

" && timeout 1 && del

/quiet

AVAST Software

abc3bc1985

360TotalSecurity

dm:

Comodo

Sophos

GET

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

lv:

Rem

Content-Disposition: form-data; name="data"; filename="

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Bitdefender

DefaultSettings.YResolution

un:

https://

SYSTEM\ControlSet001\Services\BasicDisplay\Video

shutdown -s -t 0

ProductName

sd:

"taskkill /f /im "

&& Exit"

Panda Security

http://

POST

Content-Type: application/x-www-form-urlencoded

ComputerName

------

0123456789

CurrentBuild

rundll32

cred.dll|clip.dll|

.jpg

clip.dll

kernel32.dll

:::

S-%lu-

WinDefender

ar:

Kaspersky Lab

185.215.113.43

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

\App

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\0000

-%lu

os:

-executionpolicy remotesigned -File "

ESET

------

pc:

+++

Content-Type: multipart/form-data; boundary=----

av:

cmd /C RMDIR /s/q

ps1

Programs

%USERPROFILE%

zip

<c>

bi:

msi

Startup

Avira

shell32.dll

abcdefghijklmnopqrstuvwxyz0123456789-_

2016

2019

2025

No Malware configuration.

Add for printing

TRiD

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:09:22 17:40:44+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	322048
InitializedDataSize:	117248
UninitializedDataSize:	-
EntryPoint:	0x4c1000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

158

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1128

"C:\Users\admin\AppData\Local\Temp\file.exe"

C:\Users\admin\AppData\Local\Temp\file.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1712

"C:\Users\admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\admin\AppData\Local\Temp\abc3bc1985\skotes.exe

file.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\abc3bc1985\skotes.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Amadey

(PID) Process(1712) skotes.exe

C2185.215.113.43

URLhttp://185.215.113.43/Zu7JuNko/index.php

Version4.42

Options

Drop directoryabc3bc1985

Drop nameskotes.exe

Strings (120)VideoID

st=s

id:

" Content-Type: application/octet-stream

2022

exe

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

-unicode-

<d>

Doctor Web

AVG

dll

Main

Norton

" && ren

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

skotes.exe

4.42

&unit=

/Plugins/

cred.dll

ProgramData\

rundll32.exe

cmd

vs:

DefaultSettings.XResolution

random

?scr=1

GetNativeSystemInfo

%-lu

/Zu7JuNko/index.php

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

og:

Powershell.exe

" && timeout 1 && del

/quiet

AVAST Software

abc3bc1985

360TotalSecurity

dm:

Comodo

Sophos

GET

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

lv:

Rem

Content-Disposition: form-data; name="data"; filename="

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Bitdefender

DefaultSettings.YResolution

un:

https://

SYSTEM\ControlSet001\Services\BasicDisplay\Video

shutdown -s -t 0

ProductName

sd:

"taskkill /f /im "

&& Exit"

Panda Security

http://

POST

Content-Type: application/x-www-form-urlencoded

ComputerName

------

0123456789

CurrentBuild

rundll32

cred.dll|clip.dll|

.jpg

clip.dll

kernel32.dll

:::

S-%lu-

WinDefender

ar:

Kaspersky Lab

185.215.113.43

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

\App

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\0000

-%lu

os:

-executionpolicy remotesigned -File "

ESET

------

pc:

+++

Content-Type: multipart/form-data; boundary=----

av:

cmd /C RMDIR /s/q

ps1

Programs

%USERPROFILE%

zip

<c>

bi:

msi

Startup

Avira

shell32.dll

abcdefghijklmnopqrstuvwxyz0123456789-_

2016

2019

2025

2108

"C:\Users\admin\AppData\Local\Temp\1000002001\df0c7c9393.exe"

C:\Users\admin\AppData\Local\Temp\1000002001\df0c7c9393.exe

skotes.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\1000002001\df0c7c9393.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2204

"C:\Users\admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\admin\AppData\Local\Temp\abc3bc1985\skotes.exe

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\abc3bc1985\skotes.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2424

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1832 -parentBuildID 20240213221259 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 30537 -prefMapSize 244343 -appDir "C:\Program Files\Mozilla Firefox\browser" - {265f8907-d00a-4171-b471-faf1a16b8831} 6832 "\\.\pipe\gecko-crash-server-pipe.6832" 2263fde5110 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2904

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2892 -prefsLen 26706 -prefMapSize 244343 -jsInitHandle 1376 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf08be8-6062-42a0-9ca3-fcdfbed3e609} 6832 "\\.\pipe\gecko-crash-server-pipe.6832" 22645c5e150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

4076

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\admin\AppData\Local\Temp\1000008141\blo.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

skotes.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4444

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4968 -prefMapHandle 5392 -prefsLen 34713 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93152829-3dd8-4cf8-8f22-939e1db3c2c5} 6832 "\\.\pipe\gecko-crash-server-pipe.6832" 2264ab4eb10 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

4644

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5028

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 3 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1376 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aa4498f-26d5-438d-b55b-3e62c8866709} 6832 "\\.\pipe\gecko-crash-server-pipe.6832" 22648dd1310 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

Add for printing

Total events

20 327

Read events

20 314

Write events

Delete events

Modification events


(PID) Process:	(1712) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1712) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1712) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2108) df0c7c9393.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2108) df0c7c9393.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2108) df0c7c9393.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1712) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	df0c7c9393.exe
Value: C:\Users\admin\AppData\Local\Temp\1000002001\df0c7c9393.exe
(PID) Process:	(6832) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(1712) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	03a63843b3.exe
Value: C:\Users\admin\AppData\Local\Temp\1000004101\03a63843b3.exe
(PID) Process:	(1712) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	241f1de3ca.exe
Value: C:\Users\admin\1000015002\241f1de3ca.exe

Add for printing

Executable files

Suspicious files

171

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1712	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\random[1].exe		executable
		MD5:968F1713291A2E6F0AA6897C3B4FFC5A	SHA256:1E6C55DE26DB9B94AC8EC4CD919EC8B86D325BAEEDE09705651557A31FC56BD6
6832	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6832	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1712	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\random[1].exe		executable
		MD5:C22583E37658E274902F9D65F76D4FFC	SHA256:2DD94122C325D9B40CE1A4591FCAB178FBA1EF148DBB87C1D0E34328B15F9E31
1712	skotes.exe	C:\Users\admin\AppData\Local\Temp\1000002001\df0c7c9393.exe		executable
		MD5:C22583E37658E274902F9D65F76D4FFC	SHA256:2DD94122C325D9B40CE1A4591FCAB178FBA1EF148DBB87C1D0E34328B15F9E31
6832	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.bin		binary
		MD5:297E88D7CEB26E549254EC875649F4EB	SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
1712	skotes.exe	C:\Users\admin\AppData\Local\Temp\1000004101\03a63843b3.exe		executable
		MD5:968F1713291A2E6F0AA6897C3B4FFC5A	SHA256:1E6C55DE26DB9B94AC8EC4CD919EC8B86D325BAEEDE09705651557A31FC56BD6
6832	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6832	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.js		text
		MD5:872892B4C4565890ABF02EDBD0F61AA4	SHA256:5654375FE2FEEB9221166580CB21204C8FE19FA2445FB8CD88A30C738B01B15E
6832	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

110

DNS requests

131

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1712	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	unknown
1712	skotes.exe	GET	200	185.215.113.103:80	http://185.215.113.103/steam/random.exe	unknown	—	—	suspicious
1712	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	unknown
2108	df0c7c9393.exe	GET	200	185.215.113.37:80	http://185.215.113.37/	unknown	—	—	malicious
6440	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1712	skotes.exe	GET	200	185.215.113.103:80	http://185.215.113.103/well/random.exe	unknown	—	—	malicious
6832	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
6832	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
2108	df0c7c9393.exe	POST	200	185.215.113.37:80	http://185.215.113.37/e2b1563c6670f193.php	unknown	—	—	unknown
6832	firefox.exe	POST	200	184.25.51.75:80	http://r10.o.lencr.org/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6440	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2272	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.208.16.92:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	92.122.215.53:443	—	Akamai International B.V.	DE	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1712	skotes.exe	185.215.113.43:80	—	1337team Limited	SC	malicious
6440	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6440	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.185.110	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
youtube.com	142.250.185.78 2a00:1450:4001:80e::200e	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	93.184.215.14	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
spocs.getpocket.com	34.117.188.166	whitelisted

Threats

PID	Process	Class	Message
1712	skotes.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 32
1712	skotes.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
1712	skotes.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 32
1712	skotes.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1712	skotes.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1712	skotes.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
1712	skotes.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2108	df0c7c9393.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 32
1712	skotes.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
2108	df0c7c9393.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Stealc HTTP POST Request

2 ETPRO signatures available at the full report

Add for printing

Process	Message
file.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
df0c7c9393.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
241f1de3ca.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

file

5E2F916FB8245EE1A5A54EF88C0552A7

6F58DB34358A0122EFA1961F8EE4F0ABFDC8EF5B

3831464579A25C4C01CB382305511A8033EAC84229B5F5856D7E301230F8A48D

98304:5kbm77pemEpT4AAAQrQEqfPgWo2NOJiH2bdd0WyxlgPsuFcyXC3b16v1m9IinR9:Iku

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY has been detected (SURICATA)

StealC has been detected

Changes the autorun value in the registry

AMADEY has been detected (YARA)

Changes powershell execution policy (RemoteSigned)

Starts Visual C# compiler

Connects to the CnC server

Stealers network behavior

STEALC has been detected (SURICATA)

SUSPICIOUS

Reads the BIOS version

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Starts itself from another location

Windows Defender mutex has been found

Connects to the server without a host name

Contacting a server suspected of hosting an CnC

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

Uses .NET C# to load dll

Potential Corporate Privacy Violation

The process executes via Task Scheduler

INFO

Checks supported languages

Reads the computer name

Sends debugging messages

Create files in a temporary directory

The process uses the downloaded file

Process checks computer location settings

Checks proxy server information

Creates files or folders in the user directory

Application launched itself

Manual execution by a user

Themida protector has been detected

The process uses AutoIt

Executable content was dropped or overwritten

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

Amadey

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information