File name:	Install-trim.exe
Full analysis:	https://app.any.run/tasks/9c5a36c6-5668-4b84-9305-2a83ae6ae66e
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 03, 2023, 11:01:25
OS:	Windows 10 Professional (build: 19044, 32 bit)
Tags:	evasion opendir privateloader loader rat redline smoke trojan amadey glupteba gcleaner xmrig
Indicators:
MIME:	application/x-dosexec
File info:	MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:	497C0C8026727139EBFF3CCBCC8DFC38
SHA1:	41494C1585D92F440A8F32F1809452E8EB7813B8
SHA256:	9B4ADDDF6322B802A5B5074DFC69C81D77D7AA413B22CD2535D4545F9C5AD95E
SSDEEP:	98304:W6EqhYGJdReRkYc/OpmRQ2GXJVrUMkBdqzKOcZNLhKVgqwqBICISel84:RbRzYc2pmAnAPqzKOcZRhKVVwqeCISF

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

AssemblyVersion:	0.4.0.0
ProductVersion:	0.4.0+a88c671bde
ProductName:	Ben Core
OriginalFileName:	Ben.Demystifier.dll
LegalCopyright:
InternalName:	Ben.Demystifier.dll
FileVersion:	0.4.0.2
FileDescription:	Ben.Demystifier
CompanyName:	Ben Adams
Comments:	High performance understanding for stack traces (Make error logs more productive)
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Dynamic link library
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	0.4.0.0
FileVersionNumber:	0.4.0.2
Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	6
EntryPoint:	0xbfa184
UninitializedDataSize:	-
InitializedDataSize:	1000448
CodeSize:	2111488
LinkerVersion:	14.29
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit, No debug
TimeStamp:	2023:03:08 06:23:52+00:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	08-Mar-2023 06:23:52
Detected languages:	English - United States
Comments:	High performance understanding for stack traces (Make error logs more productive)
CompanyName:	Ben Adams
FileDescription:	Ben.Demystifier
FileVersion:	0.4.0.2
InternalName:	Ben.Demystifier.dll
LegalCopyright:	-
OriginalFilename:	Ben.Demystifier.dll
ProductName:	Ben Core
ProductVersion:	0.4.0+a88c671bde
Assembly Version:	0.4.0.0

Magic number:	MZ
Bytes on last page of file:	0x0040
Pages in file:	0x0001
Relocations:	0x0000
Size of header:	0x0002
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0xB400
OEM information:	0xCD09
Address of NE header:	0x00000040

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	08-Mar-2023 06:23:52
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_DEBUG_STRIPPED IMAGE_FILE_EXECUTABLE_IMAGE

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.MPRESS1	0x00001000	0x00BF9000	0x004BD600	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.99996
.MPRESS2\x10\x0d	0x00BFA000	0x00000D10	0x00000E00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.73927
.rsrc	0x00BFB000	0x000293CC	0x00029400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.49343

Title	Entropy	Size	Codepage	Language	Type
1	5.01389	3650	UNKNOWN	English - United States	RT_MANIFEST
2	4.74055	16936	UNKNOWN	UNKNOWN	RT_ICON
3	4.46008	67624	UNKNOWN	UNKNOWN	RT_ICON
4	7.99175	69499	UNKNOWN	UNKNOWN	RT_ICON
4083	0	444	UNKNOWN	UNKNOWN	RT_STRING
MAINICON	2.69613	62	UNKNOWN	UNKNOWN	RT_GROUP_ICON

PID	CMD	Path	Indicators	Parent process
8	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	forfiles.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
8	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	schtasks.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
72	schtasks /CREATE /TN "JzxgGfMfFuIWhHHUc" /SC once /ST 03:19:52 /RU "SYSTEM" /TR "rundll32 \"C:\WINDOWS\Temp\ncBToFFnpyDffBTR\htxyXkYt\UADecpd.dll\",#1 /site_id 525403" /V1 /F	C:\Windows\System32\schtasks.exe	—	AFcozsM.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
132	"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=58527 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3188 --field-trial-handle=1464,i,6408086746087991193,4447533293897361792,131072 --disable-features=PaintHolding /prefetch:1	C:\Program Files\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 105.0.1343.50
232	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	schtasks.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
388	"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /s	C:\Windows\System32\mmc.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 10.0.19041.1 (WinBuild.160101.0800)
388	schtasks /CREATE /TN "bSuQNXvsyZXdML" /F /xml "C:\Program Files\PKzgMTTBxaSU2\yIlRVgJ.xml" /RU "SYSTEM"	C:\Windows\System32\schtasks.exe	—	ElaBZGM.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
392	"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6	C:\Windows\System32\reg.exe	—	powershell.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
404	"C:\Users\admin\Pictures\Minor Policy\OQbOPyQ89XHaNNwzLvsqBV5p.exe"	C:\Users\admin\Pictures\Minor Policy\OQbOPyQ89XHaNNwzLvsqBV5p.exe		Install-trim.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Win32 Cabinet Self-Extractor Exit code: 0 Version: 11.00.17763.1 (WinBuild.160101.0800)
404	"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6	C:\Windows\System32\reg.exe	—	powershell.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)

PID	Process	Filename		Type
860	Install-trim.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570		binary
		MD5:—	SHA256:—
860	Install-trim.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\XEXI5KK1\6523[1].exe		executable
		MD5:—	SHA256:—
860	Install-trim.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C		binary
		MD5:—	SHA256:—
860	Install-trim.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570		der
		MD5:—	SHA256:—
860	Install-trim.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C		der
		MD5:—	SHA256:—
860	Install-trim.exe	C:\WINDOWS\System32\GroupPolicy\gpt.ini		text
		MD5:07EBC46A53113102243503E4ADD798EA	SHA256:0098D36711324F783FBEAE36010E4F00DD5B772BF7C1A70EEAFDE1933EFEFEBF
860	Install-trim.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\XEXI5KK1\Service[1].vmp		executable
		MD5:021DB70D51C7EB264D8E3D201987DE59	SHA256:6858AF2688D2E14AF2F506E8A268045E38A9EE1A69759DED34C506C112910958
860	Install-trim.exe	C:\Users\admin\Pictures\Minor Policy\FlImFTjXAD2PWnIB9kH6ttJ_.exe		html
		MD5:—	SHA256:—
860	Install-trim.exe	C:\Users\admin\Pictures\Minor Policy\QTIDhztuolEnH8rfiwCNDtn1.exe		executable
		MD5:—	SHA256:—
860	Install-trim.exe	C:\Users\admin\Pictures\Minor Policy\TV58WTC0zcbhmffbh6DL_vTe.exe		executable
		MD5:—	SHA256:—


ADVAPI32.dll
KERNEL32.DLL
SHELL32.dll
USER32.dll
ole32.dll

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
860	Install-trim.exe	HEAD	200	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	—	—	malicious
860	Install-trim.exe	HEAD	200	193.233.20.35:80	http://193.233.20.35/gallery/photo_007.exe	RU	—	—	suspicious
860	Install-trim.exe	HEAD	200	163.123.143.4:80	http://163.123.143.4/download/Service_.vmp	unknown	—	—	malicious
860	Install-trim.exe	HEAD	200	163.123.143.4:80	http://163.123.143.4/download/Service.vmp	unknown	—	—	malicious
860	Install-trim.exe	HEAD	200	104.21.87.159:80	http://ji.ghwiwwff.com/m/oskg25	US	—	—	malicious
1160	svchost.exe	GET	200	93.184.221.240:80	http://download.windowsupdate.com/d/msdownload/update/others/2023/03/38677868_b5a11517e30342a48165e18e0c7aebeeab8923c9.cab	US	compressed	7.66 Kb	whitelisted
1160	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
860	Install-trim.exe	HEAD	200	194.110.203.101:80	http://194.110.203.101/puta/brazilx86.exe	RU	—	—	suspicious
860	Install-trim.exe	HEAD	200	91.215.85.147:80	http://hugersi.com/dl/6523.exe	RU	—	—	suspicious
860	Install-trim.exe	POST	200	208.67.104.60:80	http://208.67.104.60/api/firegate.php	US	text	108 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
1160	svchost.exe	40.127.169.103:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	87.240.129.133:80	vk.com	VKontakte Ltd	RU	malicious
860	Install-trim.exe	34.117.59.81:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	whitelisted
860	Install-trim.exe	208.67.104.60:80	—	Delis LLC	US	malicious
1160	svchost.exe	52.238.248.6:443	fe2cr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
860	Install-trim.exe	87.240.129.133:80	vk.com	VKontakte Ltd	RU	malicious
2380	SIHClient.exe	40.127.169.103:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
860	Install-trim.exe	87.240.129.133:443	vk.com	VKontakte Ltd	RU	malicious
1160	svchost.exe	93.184.221.240:80	download.windowsupdate.com	EDGECAST	GB	whitelisted
860	Install-trim.exe	93.186.225.194:443	vk.com	VKontakte Ltd	RU	suspicious

Domain	IP	Reputation
ipinfo.io	34.117.59.81	shared
vk.com	87.240.129.133 93.186.225.194 87.240.137.164 87.240.132.78 87.240.132.72 87.240.132.67	whitelisted
officeclient.microsoft.com	52.109.88.191	whitelisted
login.live.com	40.126.32.140 40.126.32.138 40.126.32.76 40.126.32.74 40.126.32.72 40.126.32.68 20.190.160.20 20.190.160.17 20.190.159.71 40.126.31.71 40.126.31.73 20.190.159.75 20.190.159.23 20.190.159.4 20.190.159.2 20.190.159.73	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
nexusrules.officeapps.live.com	52.109.8.86	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
crl.microsoft.com	2.21.20.133 2.21.20.137 2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	2.18.233.62 88.221.169.152	whitelisted
fe2cr.update.microsoft.com	52.238.248.6 13.91.16.71	whitelisted

PID	Process	Class	Message
860	Install-trim.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
—	—	Potentially Bad Traffic	ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
860	Install-trim.exe	Potentially Bad Traffic	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
860	Install-trim.exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
860	Install-trim.exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
860	Install-trim.exe	Potentially Bad Traffic	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
860	Install-trim.exe	Potentially Bad Traffic	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
860	Install-trim.exe	A Network Trojan was detected	ET INFO Executable Download from dotted-quad Host
860	Install-trim.exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
860	Install-trim.exe	Potentially Bad Traffic	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)

Process	Message
mmc.exe	Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
chrome.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Google\Chrome\User Data5UE5K directory exists )
chrome.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Google\Chrome\User Data5UE5K directory exists )

General Info

Install-trim.exe

497C0C8026727139EBFF3CCBCC8DFC38

41494C1585D92F440A8F32F1809452E8EB7813B8

9B4ADDDF6322B802A5B5074DFC69C81D77D7AA413B22CD2535D4545F9C5AD95E

98304:W6EqhYGJdReRkYc/OpmRQ2GXJVrUMkBdqzKOcZNLhKVgqwqBICISel84:RbRzYc2pmAnAPqzKOcZRhKVVwqeCISF

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Connects to the CnC server

PRIVATELOADER detected by memory dumps

Actions looks like stealing of personal data

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Disables Windows Defender

Runs injected code in another process

Uses Task Scheduler to run other applications

Application was injected by another process

Uses Task Scheduler to autorun other applications

Changes the Windows auto-update feature

REDLINE was detected

Steals credentials from Web Browsers

REDLINE detected by memory dumps

The DLL Hijacking

Changes the autorun value in the registry

Glupteba is detected

Creates a writable file the system directory

GCLEANER detected by memory dumps

SMOKE was detected

AMADEY detected by memory dumps

Starts CMD.EXE for self-deleting

AMADEY was detected

Modifies files in the Chrome extension folder

GLUPTEBA was detected

SUSPICIOUS

Reads the BIOS version

Connects to the server without a host name

Reads settings of System Certificates

Checks for external IP

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Process requests binary or script from the Internet

Checks Windows Trust Settings

Reads the Windows owner or organization settings

Executes application which crashes

Starts CMD.EXE for commands execution

Found strings related to reading or modifying Windows Defender settings

Uses REG/REGEDIT.EXE to modify register

Searches for installed software

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Reads browser cookies

Connects to unusual port

Starts itself from another location

Application launched itself

Uses ICACLS.EXE to modify access control lists

Uses NETSH.EXE to add a firewall rule or allowed programs

Creates files in the driver directory

The process creates files with name similar to system file names

Starts SC.EXE for service management

Drops a system driver (possible attempt to evade defenses)

Uses TASKKILL.EXE to kill process

Starts POWERSHELL.EXE for commands execution

Uses RUNDLL32.EXE to load library

Xmrig is detected

INFO

Checks supported languages

Process checks are UAC notifies on

Reads the computer name

The process checks LSA protection

Reads the machine GUID from the registry

Checks proxy server information

Process checks computer location settings

Reads the software policy settings

Manual execution by a user

Creates files or folders in the user directory

Create files in a temporary directory

Creates files in the program directory

Application was dropped or rewritten from another process