File name:	3
Full analysis:	https://app.any.run/tasks/53413081-098c-4d19-8ed7-50147714d6ba
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	May 15, 2019, 13:36:50
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	trojan amadey opendir
Indicators:
MIME:	application/vnd.ms-cab-compressed
File info:	Microsoft Cabinet archive data, 827079 bytes, 2 files
MD5:	0CAA12C4EA3BF9802337985740021038
SHA1:	9DB0DC442CD268BF14ACEDBD86BEE9AA7F3A0699
SHA256:	4472D902F9EFA717E2AC112D7FF039DC027E59872B4A26F9041D2A56CB7CB98C
SSDEEP:	12288:XPt5cjD6hGi780IiO0FG6aoa8LmNl70V29rF8+TrqJ8VHFTsls9+y444Ek+WU:XPtfTNOQG6aLFJ9+KqIFn9+b7U


(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\3.cab
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:	write	Name:	@C:\Windows\System32\acppage.dll,-6002
Value: Windows Batch File
(PID) Process:	(2912) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000

PID	Process	Filename		Type
2912	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2912.45169\install.bat		—
		MD5:—	SHA256:—
2912	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2912.45169\victory.exe		—
		MD5:—	SHA256:—
2864	victory.exe	C:\Users\admin\AppData\Local\Temp\Liebert.bmp		—
		MD5:—	SHA256:—
2352	victory.exe	C:\Users\admin\AppData\Local\Temp\sp.exe		html
		MD5:C59EB77FC35C9894A432B85B861D9151	SHA256:68280197CB1421961ADFCD99631981689A80A7EB00FCFC4710D55A4EECFBB6DC
2352	victory.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\suspendedpage[1].htm		html
		MD5:C59EB77FC35C9894A432B85B861D9151	SHA256:68280197CB1421961ADFCD99631981689A80A7EB00FCFC4710D55A4EECFBB6DC
2060	cmd.exe	C:\Users\Public\Documents\victory.exe		executable
		MD5:A9BD8C69BA5EA70002E776C9F618157B	SHA256:F521B34D4B330FFB42284DC267B154DA670139B41C79FC05700FF515F13E9E14

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2352	victory.exe	GET	302	188.241.39.220:80	http://fighiting1013.org/2/sp.exe	GB	html	593 b	malicious
2352	victory.exe	POST	200	104.243.41.186:80	http://charley-online.com/back/2019/index.php	US	—	—	malicious
2352	victory.exe	GET	200	188.241.39.220:80	http://fighiting1013.org/cgi-sys/suspendedpage.cgi	GB	html	4.01 Kb	malicious
2352	victory.exe	POST	200	104.243.41.186:80	http://charley-online.com/back/2019/index.php	US	text	50 b	malicious
2352	victory.exe	POST	200	104.243.41.186:80	http://charley-online.com/back/2019/index.php	US	text	6 b	malicious

Domain	IP	Reputation
charley-online.com	104.243.41.186	malicious
fighiting1013.org	188.241.39.220	malicious

PID	Process	Class	Message
2352	victory.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan.Win32.Amadey
2352	victory.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan.Win32.Amadey
2352	victory.exe	Potentially Bad Traffic	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2352	victory.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan.Win32.Amadey
2352	victory.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan.Win32.Amadey

General Info

3

0CAA12C4EA3BF9802337985740021038

9DB0DC442CD268BF14ACEDBD86BEE9AA7F3A0699

4472D902F9EFA717E2AC112D7FF039DC027E59872B4A26F9041D2A56CB7CB98C

12288:XPt5cjD6hGi780IiO0FG6aoa8LmNl70V29rF8+TrqJ8VHFTsls9+y444Ek+WU:XPtfTNOQG6aLFJ9+KqIFn9+b7U

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

AMADEY was detected

Changes the autorun value in the registry

Connects to CnC server

SUSPICIOUS

Uses REG.EXE to modify Windows registry

Application launched itself

Executable content was dropped or overwritten

Reads the machine GUID from the registry

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings