Malware analysis 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe Malicious activity

Add for printing

File name:	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
Full analysis:	https://app.any.run/tasks/0090ba7f-4109-4761-a0fa-b4888832f68b
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 03, 2024, 09:27:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer themida loader stealc lumma redline antivm
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	0B3D97B11E440029D52B34AE6798CFBC
SHA1:	F6EC97CAC5DD7FD597ABC69BEFEE89262B1D0EC1
SHA256:	5B225235D021E0BD9075A79ED7EEAA67E3A360BA9DE6C4D2DB3EE23026A26A2D
SSDEEP:	98304:ksq209v8bORrWUURgzEejD3PMus6bvWpzAkogh7M98me8hxyUZI9qn1myRmo9zWs:o5PKF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
  - Freshbuild.exe (PID: 5940)
  - ZharkBOT.exe (PID: 1960)
- Connects to the CnC server
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
- AMADEY has been detected (SURICATA)
  - axplong.exe (PID: 4220)
  - Hkbsse.exe (PID: 2276)
- AMADEY has been detected (YARA)
  - axplong.exe (PID: 4220)
  - Hkbsse.exe (PID: 2276)
- STEALC has been detected (SURICATA)
  - stealc_zov.exe (PID: 4688)
- Amadey has been detected
  - Freshbuild.exe (PID: 5940)
  - Hkbsse.exe (PID: 2276)
  - Hkbsse.exe (PID: 8)
  - Hkbsse.exe (PID: 2208)
  - Hkbsse.exe (PID: 5576)
- Steals credentials from Web Browsers
  - stealc_zov.exe (PID: 4688)
- REDLINE has been detected (YARA)
  - RegAsm.exe (PID: 3680)
  - newlogs.exe (PID: 3888)
- LUMMA has been detected (SURICATA)
  - BitLockerToGo.exe (PID: 5980)
- Changes the autorun value in the registry
  - 34vgn892c.exe (PID: 4756)
- Actions looks like stealing of personal data
  - BitLockerToGo.exe (PID: 5980)
  - stealc_zov.exe (PID: 4688)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
  - Freshbuild.exe (PID: 5940)
  - 34vgn892c.exe (PID: 4756)
  - Hkbsse.exe (PID: 2276)
- Reads the BIOS version
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - axplong.exe (PID: 2088)
  - axplong.exe (PID: 4852)
  - axplong.exe (PID: 1992)
  - axplong.exe (PID: 3840)
- Reads the date of Windows installation
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - Freshbuild.exe (PID: 5940)
- Starts itself from another location
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - Freshbuild.exe (PID: 5940)
  - ZharkBOT.exe (PID: 1960)
- Executable content was dropped or overwritten
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
  - Freshbuild.exe (PID: 5940)
  - ZharkBOT.exe (PID: 1960)
- Contacting a server suspected of hosting an CnC
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
  - Hkbsse.exe (PID: 2276)
  - BitLockerToGo.exe (PID: 5980)
- Checks Windows Trust Settings
  - axplong.exe (PID: 4220)
- Connects to unusual port
  - axplong.exe (PID: 4220)
  - newlogs.exe (PID: 3888)
  - RegAsm.exe (PID: 3680)
- The process executes via Task Scheduler
  - axplong.exe (PID: 2088)
  - Hkbsse.exe (PID: 8)
  - axplong.exe (PID: 4852)
  - Hkbsse.exe (PID: 2208)
  - axplong.exe (PID: 1992)
  - Hkbsse.exe (PID: 5576)
  - axplong.exe (PID: 3840)
- Potential Corporate Privacy Violation
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
- Connects to the server without a host name
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
  - 34vgn892c.exe (PID: 4756)
- Process requests binary or script from the Internet
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
- Executes application which crashes
  - crypt6.exe (PID: 5636)
- Windows Defender mutex has been found
  - stealc_zov.exe (PID: 4688)
- Searches for installed software
  - stealc_zov.exe (PID: 4688)
  - BitLockerToGo.exe (PID: 5980)
- The process drops Mozilla's DLL files
  - stealc_zov.exe (PID: 4688)
- The process drops C-runtime libraries
  - stealc_zov.exe (PID: 4688)
- Process drops legitimate windows executable
  - stealc_zov.exe (PID: 4688)
- The process checks if it is being run in the virtual environment
  - ZharkBOT.exe (PID: 1960)
  - 34vgn892c.exe (PID: 4756)
- There is functionality for VM detection (Parallels)
  - 34vgn892c.exe (PID: 4756)
- There is functionality for VM detection (VMWare)
  - 34vgn892c.exe (PID: 4756)
INFO
- Checks supported languages
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - axplong.exe (PID: 2088)
  - crypt6.exe (PID: 5636)
  - RegAsm.exe (PID: 3680)
  - newlogs.exe (PID: 3888)
  - stealc_zov.exe (PID: 4688)
  - Freshbuild.exe (PID: 5940)
  - newbuild.exe (PID: 752)
  - ZharkBOT.exe (PID: 1960)
  - Hkbsse.exe (PID: 2276)
  - Hkbsse.exe (PID: 8)
  - axplong.exe (PID: 4852)
  - BitLockerToGo.exe (PID: 5980)
  - 34vgn892c.exe (PID: 4756)
  - Hkbsse.exe (PID: 2208)
  - Hkbsse.exe (PID: 5576)
  - axplong.exe (PID: 3840)
  - axplong.exe (PID: 1992)
- Process checks computer location settings
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - Freshbuild.exe (PID: 5940)
- Reads the computer name
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - RegAsm.exe (PID: 3680)
  - stealc_zov.exe (PID: 4688)
  - newlogs.exe (PID: 3888)
  - Freshbuild.exe (PID: 5940)
  - Hkbsse.exe (PID: 2276)
  - ZharkBOT.exe (PID: 1960)
  - 34vgn892c.exe (PID: 4756)
  - BitLockerToGo.exe (PID: 5980)
- Create files in a temporary directory
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - axplong.exe (PID: 4220)
  - Freshbuild.exe (PID: 5940)
- Reads Environment values
  - axplong.exe (PID: 4220)
  - 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe (PID: 1412)
  - stealc_zov.exe (PID: 4688)
  - Freshbuild.exe (PID: 5940)
  - Hkbsse.exe (PID: 2276)
  - ZharkBOT.exe (PID: 1960)
  - 34vgn892c.exe (PID: 4756)
- Checks proxy server information
  - axplong.exe (PID: 4220)
  - stealc_zov.exe (PID: 4688)
  - WerFault.exe (PID: 4772)
  - Hkbsse.exe (PID: 2276)
  - 34vgn892c.exe (PID: 4756)
- Themida protector has been detected
  - axplong.exe (PID: 4220)
- Reads the machine GUID from the registry
  - axplong.exe (PID: 4220)
  - RegAsm.exe (PID: 3680)
  - newlogs.exe (PID: 3888)
- Reads the software policy settings
  - axplong.exe (PID: 4220)
  - WerFault.exe (PID: 4772)
  - BitLockerToGo.exe (PID: 5980)
- Creates files or folders in the user directory
  - axplong.exe (PID: 4220)
  - WerFault.exe (PID: 4772)
  - stealc_zov.exe (PID: 4688)
- Manual execution by a user
  - Taskmgr.exe (PID: 5956)
  - Taskmgr.exe (PID: 1436)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 1436)
- Reads CPU info
  - stealc_zov.exe (PID: 4688)
- Reads product name
  - stealc_zov.exe (PID: 4688)
- Creates files in the program directory
  - stealc_zov.exe (PID: 4688)
  - ZharkBOT.exe (PID: 1960)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(4220) axplong.exe

C277.91.77.81

URLhttp://77.91.77.81/Kiru9gu/index.php

Version4.30

Options

Drop directory8254624243

Drop nameaxplong.exe

Strings (113)2019

un:

.jpg

Content-Type: application/x-www-form-urlencoded

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

exe

" Content-Type: application/octet-stream

shutdown -s -t 0

vs:

4.30

/Kiru9gu/index.php

Avira

&unit=

-executionpolicy remotesigned -File "

<c>

:::

rundll32

" && timeout 1 && del

POST

dm:

ESET

2022

Comodo

"taskkill /f /im "

st=s

-%lu

Bitdefender

2016

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

&& Exit"

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Powershell.exe

axplong.exe

ComputerName

sd:

" && ren

<d>

\App

ProgramData\

https://

WinDefender

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

id:

pc:

Content-Type: multipart/form-data; boundary=----

VideoID

lv:

Startup

------

\0000

AVAST Software

77.91.77.81

GetNativeSystemInfo

rundll32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

cmd /C RMDIR /s/q

Main

ProductName

SOFTWARE\Microsoft\Windows NT\CurrentVersion

av:

+++

-unicode-

cmd

bi:

DefaultSettings.XResolution

AVG

os:

Norton

S-%lu-

?scr=1

Content-Disposition: form-data; name="data"; filename="

8254624243

kernel32.dll

GET

DefaultSettings.YResolution

SYSTEM\ControlSet001\Services\BasicDisplay\Video

ps1

/Plugins/

dll

og:

Sophos

%-lu

Programs

abcdefghijklmnopqrstuvwxyz0123456789-_

random

------

Panda Security

0123456789

cred.dll|clip.dll|

Rem

CurrentBuild

http://

Kaspersky Lab

ar:

%USERPROFILE%

shell32.dll

360TotalSecurity

Doctor Web

(PID) Process(2276) Hkbsse.exe

C2185.172.128.116

URLhttp://185.172.128.116/Mb3GvQs8/index.php

Version4.30

Options

Drop directoryb66a8ae076

Drop nameHkbsse.exe

Strings (113)2019

un:

.jpg

Content-Type: application/x-www-form-urlencoded

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

exe

" Content-Type: application/octet-stream

shutdown -s -t 0

vs:

4.30

Avira

&unit=

-executionpolicy remotesigned -File "

<c>

:::

Hkbsse.exe

rundll32

" && timeout 1 && del

POST

dm:

ESET

2022

Comodo

"taskkill /f /im "

st=s

-%lu

Bitdefender

2016

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

&& Exit"

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Powershell.exe

ComputerName

sd:

" && ren

<d>

\App

ProgramData\

https://

WinDefender

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

id:

pc:

Content-Type: multipart/form-data; boundary=----

VideoID

lv:

Startup

------

\0000

AVAST Software

GetNativeSystemInfo

rundll32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

cmd /C RMDIR /s/q

Main

ProductName

SOFTWARE\Microsoft\Windows NT\CurrentVersion

av:

+++

-unicode-

cmd

bi:

DefaultSettings.XResolution

AVG

os:

Norton

S-%lu-

?scr=1

Content-Disposition: form-data; name="data"; filename="

kernel32.dll

GET

DefaultSettings.YResolution

SYSTEM\ControlSet001\Services\BasicDisplay\Video

185.172.128.116

ps1

/Plugins/

dll

og:

b66a8ae076

Sophos

%-lu

Programs

/Mb3GvQs8/index.php

abcdefghijklmnopqrstuvwxyz0123456789-_

random

------

Panda Security

0123456789

cred.dll|clip.dll|

Rem

CurrentBuild

http://

Kaspersky Lab

ar:

%USERPROFILE%

shell32.dll

360TotalSecurity

Doctor Web

RedLine

(PID) Process(3680) RegAsm.exe

C2 (1)4.185.56.82:42687

BotnetLiveTraffoc

Options

ErrorMessageError, disable antivirus and try again!

Keys

XorUglied

(PID) Process(3888) newlogs.exe

C2 (1)85.28.47.7:17210

Botnetnewlogs

Options

ErrorMessage

Keys

XorCablings

No Malware configuration.

Add for printing

TRiD

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:06:04 08:24:10+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	320512
InitializedDataSize:	116224
UninitializedDataSize:	-
EntryPoint:	0x4b2000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

164

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\Users\admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"

C:\Users\admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\b66a8ae076\hkbsse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

752

"C:\Users\admin\AppData\Local\Temp\1000132001\newbuild.exe"

C:\Users\admin\AppData\Local\Temp\1000132001\newbuild.exe

—

axplong.exe

User:

admin

Company:

Chrome Password Remover

Integrity Level:

MEDIUM

Description:

Chrome Password Remover

Exit code:

666

Version:

1.1.0.0

Modules

Images
c:\users\admin\appdata\local\temp\1000132001\newbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1412

"C:\Users\admin\AppData\Local\Temp\5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe"

C:\Users\admin\AppData\Local\Temp\5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1436

"C:\WINDOWS\system32\taskmgr.exe" /4

C:\Windows\System32\Taskmgr.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Manager

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll

1960

"C:\Users\admin\AppData\Local\Temp\1000158001\ZharkBOT.exe"

C:\Users\admin\AppData\Local\Temp\1000158001\ZharkBOT.exe

axplong.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\1000158001\zharkbot.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1992

"C:\Users\admin\AppData\Local\Temp\8254624243\axplong.exe"

C:\Users\admin\AppData\Local\Temp\8254624243\axplong.exe

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\8254624243\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2088

"C:\Users\admin\AppData\Local\Temp\8254624243\axplong.exe"

C:\Users\admin\AppData\Local\Temp\8254624243\axplong.exe

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\8254624243\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2208

"C:\Users\admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"

C:\Users\admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\b66a8ae076\hkbsse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

2276

"C:\Users\admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"

C:\Users\admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe

Freshbuild.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\b66a8ae076\hkbsse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Amadey

(PID) Process(2276) Hkbsse.exe

C2185.172.128.116

URLhttp://185.172.128.116/Mb3GvQs8/index.php

Version4.30

Options

Drop directoryb66a8ae076

Drop nameHkbsse.exe

Strings (113)2019

un:

.jpg

Content-Type: application/x-www-form-urlencoded

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

exe

" Content-Type: application/octet-stream

shutdown -s -t 0

vs:

4.30

Avira

&unit=

-executionpolicy remotesigned -File "

<c>

:::

Hkbsse.exe

rundll32

" && timeout 1 && del

POST

dm:

ESET

2022

Comodo

"taskkill /f /im "

st=s

-%lu

Bitdefender

2016

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

&& Exit"

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Powershell.exe

ComputerName

sd:

" && ren

<d>

\App

ProgramData\

https://

WinDefender

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

id:

pc:

Content-Type: multipart/form-data; boundary=----

VideoID

lv:

Startup

------

\0000

AVAST Software

GetNativeSystemInfo

rundll32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

cmd /C RMDIR /s/q

Main

ProductName

SOFTWARE\Microsoft\Windows NT\CurrentVersion

av:

+++

-unicode-

cmd

bi:

DefaultSettings.XResolution

AVG

os:

Norton

S-%lu-

?scr=1

Content-Disposition: form-data; name="data"; filename="

kernel32.dll

GET

DefaultSettings.YResolution

SYSTEM\ControlSet001\Services\BasicDisplay\Video

185.172.128.116

ps1

/Plugins/

dll

og:

b66a8ae076

Sophos

%-lu

Programs

/Mb3GvQs8/index.php

abcdefghijklmnopqrstuvwxyz0123456789-_

random

------

Panda Security

0123456789

cred.dll|clip.dll|

Rem

CurrentBuild

http://

Kaspersky Lab

ar:

%USERPROFILE%

shell32.dll

360TotalSecurity

Doctor Web

2708

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

Add for printing

Total events

33 445

Read events

33 136

Write events

308

Delete events

Modification events


(PID) Process:	(1412) 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1412) 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1412) 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1412) 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4220) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4220) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4220) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4220) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4220) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4220) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4220	axplong.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\streamer[1].exe		executable
		MD5:96A41C56319D88BAC7C8FF605D570FE8	SHA256:7F318B3F9D6E46940F3F026A243B39B0E12C5D17A4565D1DA0D011ACD22993DF
1436	Taskmgr.exe	C:\Users\admin\AppData\Local\D3DSCache\3534848bb9f4cb71\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock		text
		MD5:F49655F856ACB8884CC0ACE29216F511	SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
4772	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8302.tmp.dmp		binary
		MD5:5351BDF0D981F47DAB2818BC0732F1C8	SHA256:023CBD2BE4A49C8216C3C996B9358CA74BE5808E9FB7B127C1C9CC4F005EB127
4220	axplong.exe	C:\Users\admin\AppData\Local\Temp\1000116001\FILE1.exe		html
		MD5:95498C1B9B6EB9269C9BCD7BFE641C04	SHA256:098D3C0F8CBC0B9D54EEFD2BF53D2B60F1F31B431806E655FAB9187EB30AAEF5
4220	axplong.exe	C:\Users\admin\AppData\Local\Temp\1000115001\build.exe		html
		MD5:E1815408D71968D3B845189650F60CCB	SHA256:ECC0B38EC2B5A764203209F5A65A032A91CF759308857BFBB6F39E26D8F121FA
4772	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER83A1.tmp.xml		xml
		MD5:69AAC809D43F73C0560F674D74CA0D1A	SHA256:91055BBC1091A18662C3AD5F85DFDD96ECA69BB7B3DE1EA67139DBA157990952
4220	axplong.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\whiteheroin[1].exe		executable
		MD5:88CDC759CB6FECFE270F0C25918FE732	SHA256:A5EC1058302399DA770F918C41342709675D13B945457E5BF974C80504AAAE0C
1412	5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	C:\WINDOWS\Tasks\axplong.job		binary
		MD5:5AB0A3A0C5F5E2B5B64E78B070437A26	SHA256:48D38976B465E204EF4E64FF5DEF66A38544FC40484BDED849788CDB498AFCD9
4220	axplong.exe	C:\Users\admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe		executable
		MD5:88CDC759CB6FECFE270F0C25918FE732	SHA256:A5EC1058302399DA770F918C41342709675D13B945457E5BF974C80504AAAE0C
4772	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8361.tmp.WERInternalMetadata.xml		xml
		MD5:930F7356966B993CA996B9FC93F511B0	SHA256:2195CAC940D587CD03B642A3C802781763FB062ED031148A5B66CDC7A14B3467

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

226

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6064	svchost.exe	GET	200	23.211.9.92:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
6064	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
4220	axplong.exe	POST	200	77.91.77.81:80	http://77.91.77.81/Kiru9gu/index.php	unknown	—	—	unknown
3040	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown
4656	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	unknown
1544	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
4220	axplong.exe	POST	200	77.91.77.81:80	http://77.91.77.81/Kiru9gu/index.php	unknown	—	—	unknown
4220	axplong.exe	POST	200	77.91.77.81:80	http://77.91.77.81/Kiru9gu/index.php	unknown	—	—	unknown
3720	SIHClient.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
3720	SIHClient.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2912	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6064	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3944	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6064	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
6064	svchost.exe	23.211.9.92:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4220	axplong.exe	77.91.77.81:80	—	Foton Telecom CJSC	RU	malicious
4220	axplong.exe	104.192.141.1:443	bitbucket.org	AMAZON-02	US	unknown
3040	OfficeClickToRun.exe	20.42.73.30:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.18 2.16.164.43 2.16.164.106 23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	23.211.9.92 88.221.125.143 184.30.21.171	whitelisted
bitbucket.org	104.192.141.1	shared
self.events.data.microsoft.com	20.42.73.30	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
bbuseruploads.s3.amazonaws.com	52.217.137.1 52.216.41.97 3.5.22.200 3.5.27.245 3.5.2.50 54.231.229.17 3.5.28.51 52.217.123.121	shared
ocsp.rootca1.amazontrust.com	18.245.39.64	shared
ocsp.r2m01.amazontrust.com	18.245.65.219	whitelisted
login.live.com	40.126.31.67 40.126.31.71 20.190.159.0 20.190.159.64 20.190.159.68 20.190.159.73 40.126.31.73 20.190.159.2	whitelisted

Threats

PID	Process	Class	Message
4220	axplong.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 8
4220	axplong.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
4220	axplong.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
4220	axplong.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
4220	axplong.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4220	axplong.exe	Misc activity	ET INFO EXE - Served Attached HTTP
4220	axplong.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
4220	axplong.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
4220	axplong.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
4220	axplong.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

3 ETPRO signatures available at the full report

Add for printing

Process	Message
5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe

0B3D97B11E440029D52B34AE6798CFBC

F6EC97CAC5DD7FD597ABC69BEFEE89262B1D0EC1

5B225235D021E0BD9075A79ED7EEAA67E3A360BA9DE6C4D2DB3EE23026A26A2D

98304:ksq209v8bORrWUURgzEejD3PMus6bvWpzAkogh7M98me8hxyUZI9qn1myRmo9zWs:o5PKF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Connects to the CnC server

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

STEALC has been detected (SURICATA)

Amadey has been detected

Steals credentials from Web Browsers

REDLINE has been detected (YARA)

LUMMA has been detected (SURICATA)

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the BIOS version

Reads the date of Windows installation

Starts itself from another location

Executable content was dropped or overwritten

Contacting a server suspected of hosting an CnC

Checks Windows Trust Settings

Connects to unusual port

The process executes via Task Scheduler

Potential Corporate Privacy Violation

Connects to the server without a host name

Process requests binary or script from the Internet

Executes application which crashes

Windows Defender mutex has been found

Searches for installed software

The process drops Mozilla's DLL files

The process drops C-runtime libraries

Process drops legitimate windows executable

The process checks if it is being run in the virtual environment

There is functionality for VM detection (Parallels)

There is functionality for VM detection (VMWare)

INFO

Checks supported languages

Process checks computer location settings

Reads the computer name

Create files in a temporary directory

Reads Environment values

Checks proxy server information

Themida protector has been detected

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Manual execution by a user

Reads security settings of Internet Explorer

Reads CPU info

Reads product name

Creates files in the program directory

Malware configuration

Amadey

RedLine

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information