File name: | file |
Full analysis: | https://app.any.run/tasks/ae45beea-d828-4490-b5b6-ac91efd55136 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | December 05, 2022, 22:41:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0B17812ABF72F6F13A21357C873ED942 |
SHA1: | 4070FED8D876936F86C7BC5F77CFE6CAD0B75E55 |
SHA256: | A45E5648DAC23FBC36ADB63FCB33B81178594403F276AA3A1195B91FC29AAE5C |
SSDEEP: | 6144:gK7e+5ZtqCdokdEx61urOtUul+wIBQIDchcAVS:gKCCZtBd4rVu4wyDchcAVS |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-May-09 22:10:42 |
Debug artifacts: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 224 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2022-May-09 22:10:42 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 106560 | 107008 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.33166 |
.data | 114688 | 239752 | 128512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.9295 |
.rsrc | 356352 | 102496 | 102912 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.51738 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.33895 | 1736 | UNKNOWN | UNKNOWN | RT_ICON |
2 | 5.47765 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 5.08275 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 5.44877 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 5.72523 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 5.98694 | 1736 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 5.89149 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 5.11653 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
9 | 4.66394 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
10 | 4.73079 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
GDI32.dll |
KERNEL32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1860 | "C:\Users\admin\AppData\Local\Temp\file.exe" | C:\Users\admin\AppData\Local\Temp\file.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2636 | "C:\Users\admin\AppData\Local\Temp\3f904562a0\gntuud.exe" | C:\Users\admin\AppData\Local\Temp\3f904562a0\gntuud.exe | file.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
680 | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F | C:\Windows\System32\schtasks.exe | — | gntuud.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2860 | "C:\Users\admin\AppData\Local\Temp\1000013001\nash.exe" | C:\Users\admin\AppData\Local\Temp\1000013001\nash.exe | gntuud.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Microsoft Visual Studio Exit code: 0 Version: 15.9.28307.1440 Modules
RedLine(PID) Process(2860) nash.exe US (151) LEnvironmentogiEnvironmentn DatEnvironmenta Environment WSystem.Texteb DatSystem.Texta System.Text CoCryptographyokieCryptographys Cryptography ExtGenericension CooGenerickies Generic OFileInfopeFileInfora GFileInfoX StabFileInfole FileInfo OpLinqera GLinqX Linq ApGenericpDaGenericta\RGenericoamiGenericng\ Network Extension UNKNOWN cFileStreamredFileStreamit_cFileStreamardFileStreams FileStream \ Host Port : User Pass cookies.sqlite GetDirectories Entity12 EnumerateDirectories String.Replace String.Remove bcrFileStream.IOypt.dFileStream.IOll FileStream.IO BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder string.Empty BCruintyptCloseAlgorituinthmProvuintider uint BCrUnmanagedTypeyptDecrUnmanagedTypeypt UnmanagedType BCrhKeyyptDeshKeytroyKhKeyey hKey BCpszPropertyryptGepszPropertytPropepszPropertyrty pszProperty BCEncodingryptSEncodingetPrEncodingoperEncodingty Encoding BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey bMasterKey windows-1251 AES Microsoft Primitive Provider ChainingModeGCM AuthTagLength ChainingMode ObjectLength KeyDataBlob - {0} net.tcp:// / localhost 7455ba4498ca1bfb73b0efbf830fb9b4 Authorization ns1 Ax8gBis3CxAoGTRDAg8gQyoZH1cqNyhO LAhcCQQyc1g= Neeses Yandex\YaAddon asf *wallet* ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu... _ T e l gr am . ex \TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata 1 string.Replace %USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng File.Write Handler npvo* %USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl serviceInterface.Extension ProldCharotonVoldCharPN oldChar nSystem.CollectionspvoSystem.Collections* System.Collections ( UNIQUE " Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Moldova Tajikistan Uzbekistan Ukraine Russia | https://api.ip.sb/ip SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor System.Windows.Forms roSystem.Linqot\CISystem.LinqMV2 System.Linq SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller AdapterRAM Name SOFTWARE\WOW6432Node\Clients\StartMenuInternet SOFTWARE\Clients\StartMenuInternet shell\open\command Unknown Version SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente System.Management SerialNumber SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId=' System.Text.RegularExpressions ' FileSystem SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId=' System. ExecutablePath [ ] Concat0 MConcatb oConcatr Concat0 Concat SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem Memory {0}{1}{2} x32 x64 x86 SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName CSDVersion Unknown _[ Network\ String Replace 80 81 0.0.0.0 Auth_value7455ba4498ca1bfb73b0efbf830fb9b4 Err_msg Botnetnosh C2 (1)31.41.244.14:4683 | |||||||||||||||
2960 | C:\Users\admin\AppData\Local\Temp\3f904562a0\gntuud.exe | C:\Users\admin\AppData\Local\Temp\3f904562a0\gntuud.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3804 | "C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Roaming\56a1c3d463f381\cred.dll, Main | C:\Windows\System32\rundll32.exe | gntuud.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3280 | C:\Users\admin\AppData\Local\Temp\3f904562a0\gntuud.exe | C:\Users\admin\AppData\Local\Temp\3f904562a0\gntuud.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
|
(PID) Process: | (1860) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1860) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1860) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1860) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2636) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
Operation: | write | Name: | Startup |
Value: C:\Users\admin\AppData\Local\Temp\3f904562a0\ | |||
(PID) Process: | (2636) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2636) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2636) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2636) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2636) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2636 | gntuud.exe | C:\Users\admin\AppData\Local\Temp\1000013001\nash.exe | executable | |
MD5:F9021651B165064DFBE6662F543E1792 | SHA256:FC0E730C9B09606EB09F91F39D9E780F005BD0F1674EE411CBB0DE75ACBE4BAE | |||
2636 | gntuud.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\nash[1].exe | executable | |
MD5:F9021651B165064DFBE6662F543E1792 | SHA256:FC0E730C9B09606EB09F91F39D9E780F005BD0F1674EE411CBB0DE75ACBE4BAE | |||
2636 | gntuud.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\cred[1].dll | executable | |
MD5:AEBF8CD9EA982DECDED5EE6F3777C6D7 | SHA256:104AF593683398F0980F2C86E6513B8C1B7DEDEDC1F924D4693AD92410D51A62 | |||
1860 | file.exe | C:\Users\admin\AppData\Local\Temp\3f904562a0\gntuud.exe | executable | |
MD5:0B17812ABF72F6F13A21357C873ED942 | SHA256:A45E5648DAC23FBC36ADB63FCB33B81178594403F276AA3A1195B91FC29AAE5C | |||
2636 | gntuud.exe | C:\Users\admin\AppData\Roaming\56a1c3d463f381\cred.dll | executable | |
MD5:AEBF8CD9EA982DECDED5EE6F3777C6D7 | SHA256:104AF593683398F0980F2C86E6513B8C1B7DEDEDC1F924D4693AD92410D51A62 | |||
2636 | gntuud.exe | C:\Users\admin\AppData\Local\Temp\302019708150 | image | |
MD5:E4CF7F41183AF906770278D5BB91E347 | SHA256:6EC130F51A498F133565AB89F57C6A4F822113A8F0E7FC1F77263D88F16906C6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2636 | gntuud.exe | POST | 200 | 31.41.244.167:80 | http://31.41.244.167/v7eWcjs/index.php?scr=1 | RU | — | — | malicious |
2636 | gntuud.exe | POST | 200 | 31.41.244.167:80 | http://31.41.244.167/v7eWcjs/index.php | RU | text | 51 b | malicious |
3804 | rundll32.exe | POST | 200 | 31.41.244.167:80 | http://31.41.244.167/v7eWcjs/index.php | RU | — | — | malicious |
2636 | gntuud.exe | GET | 200 | 31.41.244.188:80 | http://31.41.244.188/goga/nash.exe | RU | executable | 175 Kb | suspicious |
2636 | gntuud.exe | POST | 200 | 31.41.244.167:80 | http://31.41.244.167/v7eWcjs/index.php | RU | — | — | malicious |
2636 | gntuud.exe | GET | 200 | 31.41.244.167:80 | http://31.41.244.167/v7eWcjs/Plugins/cred.dll | RU | executable | 126 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2636 | gntuud.exe | 31.41.244.167:80 | — | Red Bytes LLC | RU | malicious |
2860 | nash.exe | 31.41.244.14:4683 | — | Red Bytes LLC | RU | malicious |
2636 | gntuud.exe | 31.41.244.188:80 | — | Red Bytes LLC | RU | suspicious |
3804 | rundll32.exe | 31.41.244.167:80 | — | Red Bytes LLC | RU | malicious |
PID | Process | Class | Message |
---|---|---|---|
2636 | gntuud.exe | A Network Trojan was detected | ET TROJAN Amadey CnC Check-In |
2636 | gntuud.exe | A Network Trojan was detected | AV TROJAN Agent.DHOA System Info Exfiltration |
2636 | gntuud.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2636 | gntuud.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
2636 | gntuud.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2636 | gntuud.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2636 | gntuud.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3804 | rundll32.exe | A Network Trojan was detected | AV TROJAN Trojan/Win32.Agent InfoStealer CnC Checkin |