Malware analysis 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe Malicious activity

Add for printing

File name:	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe
Full analysis:	https://app.any.run/tasks/286b3c8b-8989-4545-8ab2-6058f27f7458
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 14, 2024, 06:47:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rhadamanthys stealer amadey botnet
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	9E64B65535E29EC152642D8BDCB22974
SHA1:	5431AA7526BA193C0A92AFFFE2537BC54F51A0BA
SHA256:	6586CB8766C14A87330BF6C79A7CBD7CBFF3CA9DA63574A9C348645117D08F14
SSDEEP:	49152:O45c8yVhK70RAQ75D0Oe/zrf2pwGVA6VqAWtGLBrCtYAObWSrY19ijVzZ0JBJSUk:OZFhKIRH7HWf2pwGloGdIObfszijX0Js

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
  - cmd.exe (PID: 6556)
  - %MTL-d}~.exe (PID: 2120)
- Antivirus name has been found in the command line (generic signature)
  - findstr.exe (PID: 6500)
  - findstr.exe (PID: 6040)
- AMADEY has been detected (YARA)
  - Dctooux.exe (PID: 6788)
- Actions looks like stealing of personal data
  - OOBE-Maintenance.exe (PID: 5876)
- RHADAMANTHYS has been detected (SURICATA)
  - OOBE-Maintenance.exe (PID: 5876)
- AMADEY has been detected (SURICATA)
  - Dctooux.exe (PID: 6788)
- Connects to the CnC server
  - Dctooux.exe (PID: 6788)
SUSPICIOUS
- Reads the date of Windows installation
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
  - %MTL-d}~.exe (PID: 2120)
- Reads security settings of Internet Explorer
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
  - %MTL-d}~.exe (PID: 2120)
  - Dctooux.exe (PID: 6788)
- Executing commands from a ".bat" file
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
- Starts CMD.EXE for commands execution
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
  - cmd.exe (PID: 6556)
- Get information on the list of running processes
  - cmd.exe (PID: 6556)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 6556)
  - OOBE-Maintenance.exe (PID: 5876)
  - %MTL-d}~.exe (PID: 2120)
- Drops a file with a rarely used extension (PIF)
  - cmd.exe (PID: 6556)
- Application launched itself
  - cmd.exe (PID: 6556)
- The executable file from the user directory is run by the CMD process
  - Pleasure.pif (PID: 540)
- Suspicious file concatenation
  - cmd.exe (PID: 3328)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 6556)
- Starts application with an unusual extension
  - cmd.exe (PID: 6556)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 6556)
- Executes application which crashes
  - Pleasure.pif (PID: 540)
- Searches for installed software
  - OOBE-Maintenance.exe (PID: 5876)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 2380)
- Starts itself from another location
  - %MTL-d}~.exe (PID: 2120)
- Connects to unusual port
  - dialer.exe (PID: 2380)
  - OOBE-Maintenance.exe (PID: 5876)
- Connects to the server without a host name
  - Dctooux.exe (PID: 6788)
- The process executes via Task Scheduler
  - Dctooux.exe (PID: 3672)
INFO
- Checks supported languages
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
  - %MTL-d}~.exe (PID: 2120)
  - Pleasure.pif (PID: 540)
  - Dctooux.exe (PID: 6788)
  - Dctooux.exe (PID: 3672)
- Process checks computer location settings
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
  - %MTL-d}~.exe (PID: 2120)
- Reads the computer name
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
  - Pleasure.pif (PID: 540)
  - Dctooux.exe (PID: 6788)
  - %MTL-d}~.exe (PID: 2120)
- Creates files or folders in the user directory
  - 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe (PID: 5908)
  - OOBE-Maintenance.exe (PID: 5876)
- Reads mouse settings
  - Pleasure.pif (PID: 540)
- Manual execution by a user
  - dialer.exe (PID: 2380)
  - OOBE-Maintenance.exe (PID: 5876)
- Drops the executable file immediately after the start
  - OOBE-Maintenance.exe (PID: 5876)
- Reads Environment values
  - %MTL-d}~.exe (PID: 2120)
  - Dctooux.exe (PID: 6788)
- Create files in a temporary directory
  - %MTL-d}~.exe (PID: 2120)
  - Dctooux.exe (PID: 6788)
- Reads the software policy settings
  - slui.exe (PID: 2312)
- Checks proxy server information
  - Dctooux.exe (PID: 6788)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(6788) Dctooux.exe

C291.202.233.180

URLhttp://91.202.233.180/g88sks2SaM/index.php

Version4.19

Options

Drop directoryccbfb9d50e

Drop nameDctooux.exe

Strings (113)Content-Type: multipart/form-data; boundary=----

kernel32.dll

" && ren

%-lu

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

2016

ps1

ccbfb9d50e

Sophos

?scr=1

SOFTWARE\Microsoft\Windows NT\CurrentVersion

------

dll

Content-Disposition: form-data; name="data"; filename="

2022

-unicode-

<c>

cmd /C RMDIR /s/q

AVAST Software

random

ProgramData\

cmd

POST

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

0123456789

Avira

\0000

https://

ComputerName

S-%lu-

WinDefender

%USERPROFILE%

4.19

Bitdefender

Content-Type: application/x-www-form-urlencoded

360TotalSecurity

un:

av:

rundll32.exe

:::

shutdown -s -t 0

Doctor Web

2019

Startup

SYSTEM\ControlSet001\Services\BasicDisplay\Video

dm:

og:

rundll32

CurrentBuild

st=s

lv:

id:

Main

os:

exe

ProductName

<d>

vs:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Dctooux.exe

" && timeout 1 && del

GetNativeSystemInfo

sd:

bi:

DefaultSettings.XResolution

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Programs

.jpg

pc:

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

Powershell.exe

-executionpolicy remotesigned -File "

Norton

/g88sks2SaM/index.php

cred.dll|clip.dll|

&& Exit"

AVG

&unit=

-%lu

Panda Security

abcdefghijklmnopqrstuvwxyz0123456789-_

VideoID

+++

------

"taskkill /f /im "

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

" Content-Type: application/octet-stream

\App

/Plugins/

shell32.dll

91.202.233.180

Comodo

http://

DefaultSettings.YResolution

GET

ESET

Kaspersky Lab

ar:

Rem

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:57:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	186880
UninitializedDataSize:	2048
EntryPoint:	0x352d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

540

338783\Pleasure.pif 338783\Q

C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\338783\Pleasure.pif

cmd.exe

User:

admin

Company:

AutoIt Team

Integrity Level:

MEDIUM

Description:

AutoIt v3 Script

Exit code:

3221225477

Version:

3, 3, 14, 4

Modules

Images
c:\users\admin\appdata\local\microsoft\windows\inetcache\338783\pleasure.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll

1748

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1768

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2120

"C:\Users\admin\AppData\Local\Microsoft\%MTL-d}~.exe"

C:\Users\admin\AppData\Local\Microsoft\%MTL-d}~.exe

OOBE-Maintenance.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\microsoft\%mtl-d}~.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2192

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2312

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2380

"C:\WINDOWS\system32\dialer.exe"

C:\Windows\SysWOW64\dialer.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Windows Phone Dialer

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\dialer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3288

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 540 -s 904

C:\Windows\SysWOW64\WerFault.exe

—

Pleasure.pif

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

3328

cmd /c copy /b Pitch + Twelve + Conditions + Venture + Pushing 338783\Q

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3672

"C:\Users\admin\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe"

C:\Users\admin\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\ccbfb9d50e\dctooux.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

Add for printing

Total events

11 124

Read events

11 095

Write events

Delete events

Modification events


(PID) Process:	(5908) 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5908) 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5908) 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5908) 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(540) Pleasure.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:	write	Name:	sn
Value:
(PID) Process:	(2120) %MTL-d}~.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2120) %MTL-d}~.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2120) %MTL-d}~.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2120) %MTL-d}~.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6788) Dctooux.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Spectrum		binary
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Speak		binary
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Master		binary
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Remembered		binary
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Twelve		text
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Pitch		text
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Venture		text
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Cocks		binary
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Auckland		binary
		MD5:—	SHA256:—
5908	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Pushing		text
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3376	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
2932	SIHClient.exe	GET	200	104.79.89.142:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
6788	Dctooux.exe	POST	200	91.202.233.180:80	http://91.202.233.180/g88sks2SaM/index.php?scr=1	unknown	—	—	unknown
2980	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	unknown
2980	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	unknown	—	—	unknown
2980	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	unknown
2980	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl	unknown	—	—	unknown
2980	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
6788	Dctooux.exe	POST	200	91.202.233.180:80	http://91.202.233.180/g88sks2SaM/index.php	unknown	—	—	unknown
6788	Dctooux.exe	POST	200	91.202.233.180:80	http://91.202.233.180/g88sks2SaM/index.php	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5152	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4008	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
—	—	2.23.209.165:443	—	Akamai International B.V.	GB	unknown
6316	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3720	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3376	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3376	svchost.exe	192.229.221.95:80	—	EDGECAST	US	whitelisted
6316	svchost.exe	88.221.125.143:80	www.microsoft.com	AKAMAI-AS	DE	unknown

DNS requests

Domain	IP	Reputation
client.wns.windows.com	40.113.110.67	whitelisted
hnlhrsLvnXQMkLSbq.hnlhrsLvnXQMkLSbq	49.13.77.253	unknown
login.live.com	20.190.159.75 40.126.31.71 20.190.159.2 40.126.31.69 20.190.159.64 40.126.31.73 20.190.159.4 20.190.159.68	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
www.microsoft.com	88.221.125.143 104.79.89.142	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.227.14	whitelisted

Threats

PID	Process	Class	Message
2380	dialer.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 15
—	—	A Network Trojan was detected	STEALER [ANY.RUN] Rhadamanthys SSL Certificate and JA3s
6788	Dctooux.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 13
6788	Dctooux.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey
—	—	A Network Trojan was detected	ET MALWARE Amadey Bot Activity (POST) M1

11 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe

9E64B65535E29EC152642D8BDCB22974

5431AA7526BA193C0A92AFFFE2537BC54F51A0BA

6586CB8766C14A87330BF6C79A7CBD7CBFF3CA9DA63574A9C348645117D08F14

49152:O45c8yVhK70RAQ75D0Oe/zrf2pwGVA6VqAWtGLBrCtYAObWSrY19ijVzZ0JBJSUk:OZFhKIRH7HWf2pwGloGdIObfszijX0Js

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Antivirus name has been found in the command line (generic signature)

AMADEY has been detected (YARA)

Actions looks like stealing of personal data

RHADAMANTHYS has been detected (SURICATA)

AMADEY has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Get information on the list of running processes

Executable content was dropped or overwritten

Drops a file with a rarely used extension (PIF)

Application launched itself

The executable file from the user directory is run by the CMD process

Suspicious file concatenation

Using 'findstr.exe' to search for text patterns in files and output

Starts application with an unusual extension

Runs PING.EXE to delay simulation

Executes application which crashes

Searches for installed software

The process checks if it is being run in the virtual environment

Starts itself from another location

Connects to unusual port

Connects to the server without a host name

The process executes via Task Scheduler

INFO

Checks supported languages

Process checks computer location settings

Reads the computer name

Creates files or folders in the user directory

Reads mouse settings

Manual execution by a user

Drops the executable file immediately after the start

Reads Environment values

Create files in a temporary directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules