URL: | https://www.malware-traffic-analysis.net/2019/07/25/index.html |
Full analysis: | https://app.any.run/tasks/16f1b2f8-8ca3-4db0-8cde-9c1086b7a3a5 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | May 20, 2022, 23:50:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 1673053A13F4B442EA718BACF47D6418 |
SHA1: | 2D76416AA5C6CB180E6B410DE3FC7B616FA495BF |
SHA256: | 7ECEFA55F3DA3742646BD054EA05B6938BDF9CED5FDEE38251223CE5FB98D785 |
SSDEEP: | 3:N8DSLHXWQfigcWMMLA2BKAXG5G:2OLHpJY0X8G |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1500 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://www.malware-traffic-analysis.net/2019/07/25/index.html" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3100 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1500 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2548 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\2019-07-25-Hancitor-style-Amadey-emails-and-associated-malware.zip" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
452 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2548.35804\malware-from-infected-Windows-host\2019-07-25-Cobalt-Strike-EXE-retrieved-by-Amadey-infected-host-art.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2548.35804\malware-from-infected-Windows-host\2019-07-25-Cobalt-Strike-EXE-retrieved-by-Amadey-infected-host-art.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1768843639 Modules
| |||||||||||||||
2364 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2548.38222\malware-from-infected-Windows-host\2019-07-25-Amadey-EXE-dropped-by-VBS-files.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2548.38222\malware-from-infected-Windows-host\2019-07-25-Amadey-EXE-dropped-by-VBS-files.exe | WinRAR.exe | ||||||||||||
User: admin Company: Creative Technology Limited Integrity Level: MEDIUM Description: ReadReg MFC Application Exit code: 0 Version: 2, 0, 0, 2 Modules
| |||||||||||||||
2444 | c:\programdata\d409470c6b\kntd.exe | c:\programdata\d409470c6b\kntd.exe | 2019-07-25-Amadey-EXE-dropped-by-VBS-files.exe | ||||||||||||
User: admin Company: Creative Technology Limited Integrity Level: MEDIUM Description: ReadReg MFC Application Version: 2, 0, 0, 2 Modules
| |||||||||||||||
332 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\d409470c6b | C:\Windows\system32\REG.exe | kntd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3920 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2548.39449\malware-from-infected-Windows-host\2019-07-25-Pony-EXE-retrieved-by-Amadey-infected-host-p.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2548.39449\malware-from-infected-Windows-host\2019-07-25-Pony-EXE-retrieved-by-Amadey-infected-host-p.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
432 | cmd /K | C:\Windows\system32\cmd.exe | — | 2019-07-25-Pony-EXE-retrieved-by-Amadey-infected-host-p.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3112 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb2548.40671\12928130497_878408533.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3100 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | der | |
MD5:C04F441D0220712231531A90823834DB | SHA256:055641D3987AE98E2DD627D3214EA8084AE773A3DF9592191B86977C752A29E7 | |||
3100 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | der | |
MD5:93995AD095112907CFC088998C161574 | SHA256:FD16D238BCAC3441688E7CA940C27BB02DF8F0BF43B26D8E551414A18748C1CC | |||
3100 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A249A8EAE5FF8B677AA8B178688CF94 | der | |
MD5:D71BCC80A7B0FC9612D7B4619FB2C2AE | SHA256:B7C991C3B5997CDA961B68B8D3BF0597BC0A9B4805810FC2AFD1A061DD67953B | |||
1500 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F | der | |
MD5:5C1113B7526A7723B64400D44129FA78 | SHA256:9ECC27C740862AB2712DA2C4FF31592E2C0A8643576E64551EE344A73FBE2494 | |||
3100 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:BED8FA3310113E9F1435B810CCA9E32C | SHA256:455BBDF0E1207246F65BDDD441D0ADD5E4560F7227AB63832AFFA9232AC0803D | |||
3100 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | binary | |
MD5:F6D1FF6DBED4F3BB38DA18FA93B5B00F | SHA256:1B5BFD8DEECD090CCFC1D6CE07674AF9F69BC07EDB7A873954F2C6A537EDAAB0 | |||
3100 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:CDA0342F9D925BE672DA43C6DECDE0DC | SHA256:D181A828AABE6116F05EE940C04251877AC3FFD32B698939DFB4962706B65632 | |||
3100 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A249A8EAE5FF8B677AA8B178688CF94 | binary | |
MD5:144540C2A49B9E345DDA4D9069139184 | SHA256:592054F174ADF5EDB0CDD1E1BBFD22EEB806DCFA828EC263A91C1DF177F7BA73 | |||
3100 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\index[1].htm | html | |
MD5:B77E0C42D87CBA508542663F3DF75616 | SHA256:DB05D4A2E2D1ECF3D81C0F1C589B802674CC7D6C463AE88F0506C398CA2B5A0F | |||
1500 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F | binary | |
MD5:5BB7133FBF5FDCA59FB7266441047A80 | SHA256:FB2C38B0C4892C66526BAA8B7E58C0268206197572130AC511BB8293B396AEE6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3100 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
3100 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECECrsM%2B7Sq5MOuq8mZpDVUKY%3D | US | der | 471 b | whitelisted |
3100 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 471 b | whitelisted |
452 | 2019-07-25-Cobalt-Strike-EXE-retrieved-by-Amadey-infected-host-art.exe | GET | — | 31.44.184.33:80 | http://31.44.184.33/H7mp | RU | — | — | malicious |
1500 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.78 Kb | whitelisted |
3100 | iexplore.exe | GET | 200 | 23.216.77.69:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b14c99519f4e922c | US | compressed | 4.70 Kb | whitelisted |
1500 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3100 | iexplore.exe | GET | 200 | 23.216.77.69:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?25ecb450f1085071 | US | compressed | 4.70 Kb | whitelisted |
1500 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1500 | iexplore.exe | 152.199.19.161:443 | r20swj13mr.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3100 | iexplore.exe | 199.201.110.204:443 | www.malware-traffic-analysis.net | Namecheap, Inc. | US | suspicious |
1500 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3100 | iexplore.exe | 104.18.32.68:80 | ocsp.comodoca.com | Cloudflare Inc | US | suspicious |
1500 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1500 | iexplore.exe | 199.201.110.204:443 | www.malware-traffic-analysis.net | Namecheap, Inc. | US | suspicious |
3100 | iexplore.exe | 23.216.77.69:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
— | — | 96.16.143.41:443 | go.microsoft.com | Akamai International B.V. | US | whitelisted |
— | — | 204.79.197.203:443 | www.msn.com | Microsoft Corporation | US | whitelisted |
1500 | iexplore.exe | 20.25.53.147:443 | query.prod.cms.msn.com | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.malware-traffic-analysis.net |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
Process | Message |
---|---|
2019-07-25-Cobalt-Strike-EXE-retrieved-by-Amadey-infected-host-art.exe | G8xv |
2019-07-25-Amadey-EXE-dropped-by-VBS-files.exe | zI |
kntd.exe | zI |
XLYHZCq.exe | zI |