analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

test.zip

Full analysis: https://app.any.run/tasks/5101b95a-1df3-4202-98d1-e4ce3a166a60
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 13:43:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
amadey
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

815C4000399CF67F1E3852069D60326E

SHA1:

ECE83A7252C85A4B815C4CFEA0D4D56C4D360FC2

SHA256:

A5BB49D4641F77DF65A1E729C4D60FF48BB1ED40BE2D89D7B13A951FECEAB25B

SSDEEP:

24576:OaW62JtV33oW/nP0cuBPpYiuU0akl+CDysdPmdoi1uICBhGG+W47gzoZ:xWZtVKBhHuUVkACJPmdRCTVt47VZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • victory.exe (PID: 1652)
      • victory.exe (PID: 3020)
      • sp.exe (PID: 940)

    • AMADEY was detected

      • victory.exe (PID: 3020)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2476)

    • Connects to CnC server

      • victory.exe (PID: 3020)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2412)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2412)
      • cmd.exe (PID: 2440)

    • Application launched itself

      • victory.exe (PID: 1652)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2440)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipFileName: install.bat
ZipUncompressedSize: 280
ZipCompressedSize: 175
ZipCRC: 0xb02501a1
ZipModifyDate: 2019:05:15 08:10:04
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start rundll32.exe no specs winrar.exe cmd.exe reg.exe victory.exe no specs #AMADEY victory.exe notepad.exe no specs sp.exe

Process information

PID
CMD
Path
Indicators
Parent process
3024"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\test.zip.xpiC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2412"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\test.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2440C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\install.bat" "C:\Windows\system32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2476reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchost /t REG_SZ /d "C:\Users\Public\Documents\victory.exe" /f C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1652C:\Users\Public\Documents\victory.exe C:\Users\Public\Documents\victory.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3020"C:\Users\Public\Documents\victory.exe"C:\Users\Public\Documents\victory.exe
victory.exe
User:
admin
Integrity Level:
MEDIUM
3044"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\install.batC:\Windows\System32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
940"C:\Users\admin\Desktop\sp.exe" C:\Users\admin\Desktop\sp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
402
Read events
380
Write events
22
Delete events
0

Modification events

(PID) Process:(2412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2412) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\test.zip
(PID) Process:(2412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2412) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:writeName:@C:\Windows\System32\acppage.dll,-6002
Value:
Windows Batch File
(PID) Process:(2412) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1652victory.exeC:\Users\admin\AppData\Local\Temp\Liebert.bmp
MD5:
SHA256:
2412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2412.35747\sp.exeexecutable
MD5:43CBADADAEAD6F11295BF8843BD909ED
SHA256:6E3856D907DC10621E967E3B805DBE8AF0CEADAEE0E946D479079E62F2DBA64B
2412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2412.35747\install.battext
MD5:FFED1E44FB75F78C47CCC1071F80C301
SHA256:474882B7211F72B5791CC9EB44BBCBA99B54838BC6B608D35D9684D03839CB20
2412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2412.35747\victory.exeexecutable
MD5:A9BD8C69BA5EA70002E776C9F618157B
SHA256:F521B34D4B330FFB42284DC267B154DA670139B41C79FC05700FF515F13E9E14
2440cmd.exeC:\Users\Public\Documents\victory.exeexecutable
MD5:A9BD8C69BA5EA70002E776C9F618157B
SHA256:F521B34D4B330FFB42284DC267B154DA670139B41C79FC05700FF515F13E9E14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
15
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3020
victory.exe
POST
200
104.243.41.186:80
http://charley-online.com/back/2019/index.php
US
text
6 b
malicious
3020
victory.exe
POST
200
104.243.41.186:80
http://charley-online.com/back/2019/index.php
US
text
6 b
malicious
3020
victory.exe
POST
200
104.243.41.186:80
http://charley-online.com/back/2019/index.php
US
text
6 b
malicious
3020
victory.exe
POST
200
104.243.41.186:80
http://charley-online.com/back/2019/index.php
US
text
6 b
malicious
3020
victory.exe
POST
200
104.243.41.186:80
http://charley-online.com/back/2019/index.php
US
text
6 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
940
sp.exe
5.252.198.93:7337
unknown
3020
victory.exe
104.243.41.186:80
charley-online.com
Choopa, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
charley-online.com
  • 104.243.41.186
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3020
victory.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
test.zip