File name: | test.zip |
Full analysis: | https://app.any.run/tasks/5101b95a-1df3-4202-98d1-e4ce3a166a60 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | May 15, 2019, 13:43:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 815C4000399CF67F1E3852069D60326E |
SHA1: | ECE83A7252C85A4B815C4CFEA0D4D56C4D360FC2 |
SHA256: | A5BB49D4641F77DF65A1E729C4D60FF48BB1ED40BE2D89D7B13A951FECEAB25B |
SSDEEP: | 24576:OaW62JtV33oW/nP0cuBPpYiuU0akl+CDysdPmdoi1uICBhGG+W47gzoZ:xWZtVKBhHuUVkACJPmdRCTVt47VZ |
.xpi | | | Mozilla Firefox browser extension (66.6) |
---|---|---|
.zip | | | ZIP compressed archive (33.3) |
ZipFileName: | install.bat |
---|---|
ZipUncompressedSize: | 280 |
ZipCompressedSize: | 175 |
ZipCRC: | 0xb02501a1 |
ZipModifyDate: | 2019:05:15 08:10:04 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3024 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\test.zip.xpi | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2412 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\test.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2440 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\install.bat" " | C:\Windows\system32\cmd.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2476 | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchost /t REG_SZ /d "C:\Users\Public\Documents\victory.exe" /f | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1652 | C:\Users\Public\Documents\victory.exe | C:\Users\Public\Documents\victory.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3020 | "C:\Users\Public\Documents\victory.exe" | C:\Users\Public\Documents\victory.exe | victory.exe | |
User: admin Integrity Level: MEDIUM | ||||
3044 | "C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\install.bat | C:\Windows\System32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
940 | "C:\Users\admin\Desktop\sp.exe" | C:\Users\admin\Desktop\sp.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM |
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\test.zip | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\acppage.dll,-6002 |
Value: Windows Batch File | |||
(PID) Process: | (2412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1652 | victory.exe | C:\Users\admin\AppData\Local\Temp\Liebert.bmp | — | |
MD5:— | SHA256:— | |||
2412 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2412.35747\sp.exe | executable | |
MD5:43CBADADAEAD6F11295BF8843BD909ED | SHA256:6E3856D907DC10621E967E3B805DBE8AF0CEADAEE0E946D479079E62F2DBA64B | |||
2412 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2412.35747\install.bat | text | |
MD5:FFED1E44FB75F78C47CCC1071F80C301 | SHA256:474882B7211F72B5791CC9EB44BBCBA99B54838BC6B608D35D9684D03839CB20 | |||
2412 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2412.35747\victory.exe | executable | |
MD5:A9BD8C69BA5EA70002E776C9F618157B | SHA256:F521B34D4B330FFB42284DC267B154DA670139B41C79FC05700FF515F13E9E14 | |||
2440 | cmd.exe | C:\Users\Public\Documents\victory.exe | executable | |
MD5:A9BD8C69BA5EA70002E776C9F618157B | SHA256:F521B34D4B330FFB42284DC267B154DA670139B41C79FC05700FF515F13E9E14 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3020 | victory.exe | POST | 200 | 104.243.41.186:80 | http://charley-online.com/back/2019/index.php | US | text | 6 b | malicious |
3020 | victory.exe | POST | 200 | 104.243.41.186:80 | http://charley-online.com/back/2019/index.php | US | text | 6 b | malicious |
3020 | victory.exe | POST | 200 | 104.243.41.186:80 | http://charley-online.com/back/2019/index.php | US | text | 6 b | malicious |
3020 | victory.exe | POST | 200 | 104.243.41.186:80 | http://charley-online.com/back/2019/index.php | US | text | 6 b | malicious |
3020 | victory.exe | POST | 200 | 104.243.41.186:80 | http://charley-online.com/back/2019/index.php | US | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
940 | sp.exe | 5.252.198.93:7337 | — | — | — | unknown |
3020 | victory.exe | 104.243.41.186:80 | charley-online.com | Choopa, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
charley-online.com |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3020 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |