File name: | 16799646901_30372.zip |
Full analysis: | https://app.any.run/tasks/65251986-eb54-441c-a735-2a26d220335a |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | July 18, 2019, 14:55:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C521259711B2F590B0907C8BB2B8756A |
SHA1: | 836DC03E94CF6892D09FFABFAA40B3A80B609B5C |
SHA256: | 96AB15660DA0DD10C7DE1E07BAFA4D3975DE5644F25BACEA82087E179FD70613 |
SSDEEP: | 6144:zm7IewVTxwjByuw6H923h8qkcj9bEpWz8DkyxEk:mI5wjB9GkcxbMDkeEk |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:07:18 20:27:16 |
ZipCRC: | 0x587afa96 |
ZipCompressedSize: | 243019 |
ZipUncompressedSize: | 487628 |
ZipFileName: | 16799646901_599788061.vbs |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3572 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\16799646901_30372.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3276 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3572.25948\16799646901_599788061.vbs" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2160 | C:\Users\admin\AppData\Local\Temp\NZiCyph.exe | C:\Users\admin\AppData\Local\Temp\NZiCyph.exe | wmiprvse.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.1810.13 | ||||
2860 | c:\programdata\0cdfe991b7\kntd.exe | c:\programdata\0cdfe991b7\kntd.exe | NZiCyph.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.1810.13 | ||||
3968 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\0cdfe991b7 | C:\Windows\system32\REG.exe | kntd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2180 | C:\Users\admin\AppData\Local\Temp\1.exe | C:\Users\admin\AppData\Local\Temp\1.exe | kntd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3160 | cmd /K | C:\Windows\system32\cmd.exe | — | 1.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
956 | cmd /c ""C:\Users\admin\AppData\Local\Temp\1614015.bat" "C:\Users\admin\AppData\Local\Temp\1.exe" " | C:\Windows\system32\cmd.exe | — | 1.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3276 | WScript.exe | C:\Users\admin\AppData\Local\Temp\QcwLytGNY.txt | — | |
MD5:— | SHA256:— | |||
2160 | NZiCyph.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
2160 | NZiCyph.exe | C:\programdata\0cdfe991b7\kntd.exe:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2860 | kntd.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
2860 | kntd.exe | C: | — | |
MD5:— | SHA256:— | |||
3572 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3572.25948\16799646901_599788061.vbs | text | |
MD5:08FD0576439140471BC08FC1131E97B6 | SHA256:9756B58A4AD445BE2F9484AE64661BD92EBA561A9B352C4E632426EECC179B21 | |||
3572 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3572.42675\16799646901_599788061.vbs | text | |
MD5:08FD0576439140471BC08FC1131E97B6 | SHA256:9756B58A4AD445BE2F9484AE64661BD92EBA561A9B352C4E632426EECC179B21 | |||
3276 | WScript.exe | C:\Users\admin\AppData\Local\Temp\JfLOtaCFA | text | |
MD5:ACFDEDA81C392E977EF6B8C84544D5EB | SHA256:FDFB8255113CA175D3147B4C0D707DCCCC0B96FD3C948FFB2695C79942226F07 | |||
2860 | kntd.exe | C:\Users\admin\AppData\Local\Temp\1.exe | executable | |
MD5:138576B9626AD0267BED3FD91E577D61 | SHA256:35370FA936DBE91014D3AA159FE8E539B3A1130AF6D9CFF08C12C80579D2A933 | |||
3276 | WScript.exe | C:\Users\admin\AppData\Local\Temp\QcwLytGNY.txt.zip | compressed | |
MD5:ACAA9D0410A28BAFCCAE7EBE9DE389CC | SHA256:C3CC1DBF09F79C60F911F9F1938CAE958433CC91609F7FE1076B7831A1C518D9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2180 | 1.exe | POST | — | 91.224.22.138:80 | http://sakedratto.com/mlu/forum.php | RU | — | — | malicious |
2860 | kntd.exe | GET | 200 | 54.36.91.62:80 | http://redzoneairsoft.com/wp-content/plugins/multilingual-press/inc/1.exe | FR | executable | 222 Kb | malicious |
2860 | kntd.exe | POST | 200 | 91.224.22.138:80 | http://sakedratto.com/f5lkB/index.php | RU | text | 90 b | malicious |
2860 | kntd.exe | POST | 200 | 103.136.43.235:80 | http://tincolittat.ru/f5lkB/index.php | unknown | text | 6 b | malicious |
2860 | kntd.exe | POST | 200 | 103.136.43.235:80 | http://tincolittat.ru/f5lkB/index.php | unknown | text | 6 b | malicious |
2860 | kntd.exe | POST | 200 | 77.120.115.221:80 | http://lorefensed.ru/f5lkB/index.php | UA | text | 6 b | malicious |
2860 | kntd.exe | POST | 200 | 77.120.115.221:80 | http://lorefensed.ru/f5lkB/index.php | UA | text | 6 b | malicious |
2860 | kntd.exe | POST | 200 | 91.224.22.138:80 | http://sakedratto.com/f5lkB/index.php | RU | text | 6 b | malicious |
2860 | kntd.exe | POST | 200 | 103.136.43.235:80 | http://tincolittat.ru/f5lkB/index.php | unknown | text | 6 b | malicious |
2860 | kntd.exe | POST | 200 | 77.120.115.221:80 | http://lorefensed.ru/f5lkB/index.php | UA | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2860 | kntd.exe | 77.120.115.221:80 | lorefensed.ru | Volia | UA | malicious |
2860 | kntd.exe | 103.136.43.235:80 | tincolittat.ru | — | — | malicious |
2860 | kntd.exe | 91.224.22.138:80 | sakedratto.com | Domain names registrar REG.RU, Ltd | RU | malicious |
2860 | kntd.exe | 54.36.91.62:80 | redzoneairsoft.com | OVH SAS | FR | malicious |
2180 | 1.exe | 91.224.22.138:80 | sakedratto.com | Domain names registrar REG.RU, Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
sakedratto.com |
| malicious |
redzoneairsoft.com |
| malicious |
tincolittat.ru |
| malicious |
lorefensed.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2860 | kntd.exe | A Network Trojan was detected | ET TROJAN Amadey CnC Check-In |
2860 | kntd.exe | A Network Trojan was detected | AV TROJAN Agent.DHOA System Info Exfiltration |
2860 | kntd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2860 | kntd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2860 | kntd.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
2860 | kntd.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
2860 | kntd.exe | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
2860 | kntd.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2860 | kntd.exe | A Network Trojan was detected | ET TROJAN Amadey CnC Check-In |
2860 | kntd.exe | A Network Trojan was detected | AV TROJAN Agent.DHOA System Info Exfiltration |