analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

16799646901_30372.zip

Full analysis: https://app.any.run/tasks/65251986-eb54-441c-a735-2a26d220335a
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: July 18, 2019, 14:55:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
amadey
opendir
pony
fareit
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C521259711B2F590B0907C8BB2B8756A

SHA1:

836DC03E94CF6892D09FFABFAA40B3A80B609B5C

SHA256:

96AB15660DA0DD10C7DE1E07BAFA4D3975DE5644F25BACEA82087E179FD70613

SSDEEP:

6144:zm7IewVTxwjByuw6H923h8qkcj9bEpWz8DkyxEk:mI5wjB9GkcxbMDkeEk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • kntd.exe (PID: 2860)
      • NZiCyph.exe (PID: 2160)
      • 1.exe (PID: 2180)
    • AMADEY was detected

      • NZiCyph.exe (PID: 2160)
      • kntd.exe (PID: 2860)
    • Changes the Startup folder

      • REG.exe (PID: 3968)
    • Detected Pony/Fareit Trojan

      • 1.exe (PID: 2180)
    • Connects to CnC server

      • kntd.exe (PID: 2860)
      • 1.exe (PID: 2180)
    • Downloads executable files from the Internet

      • kntd.exe (PID: 2860)
    • Actions looks like stealing of personal data

      • 1.exe (PID: 2180)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3276)
      • NZiCyph.exe (PID: 2160)
      • kntd.exe (PID: 2860)
    • Executed via WMI

      • NZiCyph.exe (PID: 2160)
    • Executes scripts

      • WinRAR.exe (PID: 3572)
    • Starts itself from another location

      • NZiCyph.exe (PID: 2160)
    • Creates files in the program directory

      • NZiCyph.exe (PID: 2160)
    • Uses REG.EXE to modify Windows registry

      • kntd.exe (PID: 2860)
    • Starts CMD.EXE for commands execution

      • 1.exe (PID: 2180)
    • Loads DLL from Mozilla Firefox

      • 1.exe (PID: 2180)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:07:18 20:27:16
ZipCRC: 0x587afa96
ZipCompressedSize: 243019
ZipUncompressedSize: 487628
ZipFileName: 16799646901_599788061.vbs
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs wscript.exe #AMADEY nzicyph.exe #AMADEY kntd.exe reg.exe #PONY 1.exe cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3572"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\16799646901_30372.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3276"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3572.25948\16799646901_599788061.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2160C:\Users\admin\AppData\Local\Temp\NZiCyph.exeC:\Users\admin\AppData\Local\Temp\NZiCyph.exe
wmiprvse.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.1810.13
2860c:\programdata\0cdfe991b7\kntd.exec:\programdata\0cdfe991b7\kntd.exe
NZiCyph.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.1810.13
3968REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\0cdfe991b7C:\Windows\system32\REG.exe
kntd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2180C:\Users\admin\AppData\Local\Temp\1.exeC:\Users\admin\AppData\Local\Temp\1.exe
kntd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3160cmd /KC:\Windows\system32\cmd.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
956cmd /c ""C:\Users\admin\AppData\Local\Temp\1614015.bat" "C:\Users\admin\AppData\Local\Temp\1.exe" "C:\Windows\system32\cmd.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 267
Read events
1 222
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3276WScript.exeC:\Users\admin\AppData\Local\Temp\QcwLytGNY.txt
MD5:
SHA256:
2160NZiCyph.exeC:\ProgramData\0
MD5:
SHA256:
2160NZiCyph.exeC:\programdata\0cdfe991b7\kntd.exe:Zone.Identifier
MD5:
SHA256:
2860kntd.exeC:\ProgramData\0
MD5:
SHA256:
2860kntd.exeC:
MD5:
SHA256:
3572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3572.25948\16799646901_599788061.vbstext
MD5:08FD0576439140471BC08FC1131E97B6
SHA256:9756B58A4AD445BE2F9484AE64661BD92EBA561A9B352C4E632426EECC179B21
3572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3572.42675\16799646901_599788061.vbstext
MD5:08FD0576439140471BC08FC1131E97B6
SHA256:9756B58A4AD445BE2F9484AE64661BD92EBA561A9B352C4E632426EECC179B21
3276WScript.exeC:\Users\admin\AppData\Local\Temp\JfLOtaCFAtext
MD5:ACFDEDA81C392E977EF6B8C84544D5EB
SHA256:FDFB8255113CA175D3147B4C0D707DCCCC0B96FD3C948FFB2695C79942226F07
2860kntd.exeC:\Users\admin\AppData\Local\Temp\1.exeexecutable
MD5:138576B9626AD0267BED3FD91E577D61
SHA256:35370FA936DBE91014D3AA159FE8E539B3A1130AF6D9CFF08C12C80579D2A933
3276WScript.exeC:\Users\admin\AppData\Local\Temp\QcwLytGNY.txt.zipcompressed
MD5:ACAA9D0410A28BAFCCAE7EBE9DE389CC
SHA256:C3CC1DBF09F79C60F911F9F1938CAE958433CC91609F7FE1076B7831A1C518D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
15
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2180
1.exe
POST
91.224.22.138:80
http://sakedratto.com/mlu/forum.php
RU
malicious
2860
kntd.exe
GET
200
54.36.91.62:80
http://redzoneairsoft.com/wp-content/plugins/multilingual-press/inc/1.exe
FR
executable
222 Kb
malicious
2860
kntd.exe
POST
200
91.224.22.138:80
http://sakedratto.com/f5lkB/index.php
RU
text
90 b
malicious
2860
kntd.exe
POST
200
103.136.43.235:80
http://tincolittat.ru/f5lkB/index.php
unknown
text
6 b
malicious
2860
kntd.exe
POST
200
103.136.43.235:80
http://tincolittat.ru/f5lkB/index.php
unknown
text
6 b
malicious
2860
kntd.exe
POST
200
77.120.115.221:80
http://lorefensed.ru/f5lkB/index.php
UA
text
6 b
malicious
2860
kntd.exe
POST
200
77.120.115.221:80
http://lorefensed.ru/f5lkB/index.php
UA
text
6 b
malicious
2860
kntd.exe
POST
200
91.224.22.138:80
http://sakedratto.com/f5lkB/index.php
RU
text
6 b
malicious
2860
kntd.exe
POST
200
103.136.43.235:80
http://tincolittat.ru/f5lkB/index.php
unknown
text
6 b
malicious
2860
kntd.exe
POST
200
77.120.115.221:80
http://lorefensed.ru/f5lkB/index.php
UA
text
6 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2860
kntd.exe
77.120.115.221:80
lorefensed.ru
Volia
UA
malicious
2860
kntd.exe
103.136.43.235:80
tincolittat.ru
malicious
2860
kntd.exe
91.224.22.138:80
sakedratto.com
Domain names registrar REG.RU, Ltd
RU
malicious
2860
kntd.exe
54.36.91.62:80
redzoneairsoft.com
OVH SAS
FR
malicious
2180
1.exe
91.224.22.138:80
sakedratto.com
Domain names registrar REG.RU, Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
sakedratto.com
  • 91.224.22.138
malicious
redzoneairsoft.com
  • 54.36.91.62
malicious
tincolittat.ru
  • 103.136.43.235
malicious
lorefensed.ru
  • 77.120.115.221
malicious

Threats

PID
Process
Class
Message
2860
kntd.exe
A Network Trojan was detected
ET TROJAN Amadey CnC Check-In
2860
kntd.exe
A Network Trojan was detected
AV TROJAN Agent.DHOA System Info Exfiltration
2860
kntd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
2860
kntd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
2860
kntd.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2860
kntd.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2860
kntd.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
2860
kntd.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2860
kntd.exe
A Network Trojan was detected
ET TROJAN Amadey CnC Check-In
2860
kntd.exe
A Network Trojan was detected
AV TROJAN Agent.DHOA System Info Exfiltration
No debug info