Malware analysis bd0e1d539cf4fb629c481cc8be1672f5.exe Malicious activity

Add for printing

File name:	bd0e1d539cf4fb629c481cc8be1672f5.exe
Full analysis:	https://app.any.run/tasks/04749ff5-a3a9-47e8-bfd2-ee7d80a87334
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	October 26, 2023, 22:46:26
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	stealc stealer sinkhole redline amadey botnet trojan loader smoke opendir
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	BD0E1D539CF4FB629C481CC8BE1672F5
SHA1:	F79F1F705065C2659A04F4CBDA422DBD261D5DD4
SHA256:	A75A9DED208E0DE9A02823FD2D40B2163CB152869E67E5BFE08388204D7E6D6D
SSDEEP:	49152:gLnemIu6vMUrzHjzVpX7mLmJaluzxPYUWFxWh8IAQbu/3FDuziND+MFXatKLShAD:cn2fvrr/7mOalDBzl8u9LNLXatjhAY0k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - bd0e1d539cf4fb629c481cc8be1672f5.exe (PID: 992)
  - ai6iV30.exe (PID: 2064)
  - RN0aZ98.exe (PID: 2472)
  - hh3gd14.exe (PID: 2476)
  - Ip6Sf70.exe (PID: 2300)
  - oN9QG66.exe (PID: 944)
  - 5Wo0ra6.exe (PID: 988)
  - explothe.exe (PID: 2592)
- Application was dropped or rewritten from another process
  - Ip6Sf70.exe (PID: 2300)
  - hh3gd14.exe (PID: 2476)
  - oN9QG66.exe (PID: 944)
  - RN0aZ98.exe (PID: 2472)
  - ai6iV30.exe (PID: 2064)
  - 1Uh56fE0.exe (PID: 1176)
  - 2Wx0735.exe (PID: 2216)
  - 3PS43RX.exe (PID: 2424)
  - 5Wo0ra6.exe (PID: 988)
  - 4yW137Xl.exe (PID: 3056)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
  - 7zp8VL57.exe (PID: 2780)
  - explothe.exe (PID: 1532)
  - explothe.exe (PID: 280)
- Connects to the CnC server
  - AppLaunch.exe (PID: 2708)
  - AppLaunch.exe (PID: 2976)
  - explothe.exe (PID: 2592)
  - explorer.exe (PID: 1944)
- Runs injected code in another process
  - 3PS43RX.exe (PID: 2424)
- STEALC has been detected (SURICATA)
  - AppLaunch.exe (PID: 2708)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- Changes the autorun value in the registry
  - explothe.exe (PID: 2592)
- Uses Task Scheduler to run other applications
  - explothe.exe (PID: 2592)
- REDLINE has been detected (SURICATA)
  - AppLaunch.exe (PID: 2976)
- AMADEY has been detected (SURICATA)
  - explothe.exe (PID: 2592)
- AMADEY has been detected (YARA)
  - explothe.exe (PID: 2592)
- Steals credentials from Web Browsers
  - AppLaunch.exe (PID: 2976)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 1944)
- Actions looks like stealing of personal data
  - AppLaunch.exe (PID: 2976)
- Loads dropped or rewritten executable
  - rundll32.exe (PID: 2504)
SUSPICIOUS
- Process drops legitimate windows executable
  - bd0e1d539cf4fb629c481cc8be1672f5.exe (PID: 992)
  - ai6iV30.exe (PID: 2064)
  - Ip6Sf70.exe (PID: 2300)
  - RN0aZ98.exe (PID: 2472)
  - hh3gd14.exe (PID: 2476)
- Reads the Internet Settings
  - AppLaunch.exe (PID: 2708)
  - 5Wo0ra6.exe (PID: 988)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
  - cmd.exe (PID: 2664)
- Starts itself from another location
  - 5Wo0ra6.exe (PID: 988)
- Connects to the server without a host name
  - AppLaunch.exe (PID: 2708)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
  - explorer.exe (PID: 1944)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 1788)
  - 7zp8VL57.exe (PID: 2780)
  - explothe.exe (PID: 2592)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 1788)
- Application launched itself
  - cmd.exe (PID: 1788)
- Executing commands from a ".bat" file
  - 7zp8VL57.exe (PID: 2780)
- The process executes via Task Scheduler
  - explothe.exe (PID: 1532)
  - explothe.exe (PID: 280)
- Connects to unusual port
  - AppLaunch.exe (PID: 2976)
- Reads browser cookies
  - AppLaunch.exe (PID: 2976)
- Searches for installed software
  - AppLaunch.exe (PID: 2976)
- Process requests binary or script from the Internet
  - explothe.exe (PID: 2592)
INFO
- Checks supported languages
  - bd0e1d539cf4fb629c481cc8be1672f5.exe (PID: 992)
  - ai6iV30.exe (PID: 2064)
  - Ip6Sf70.exe (PID: 2300)
  - RN0aZ98.exe (PID: 2472)
  - hh3gd14.exe (PID: 2476)
  - oN9QG66.exe (PID: 944)
  - 2Wx0735.exe (PID: 2216)
  - 1Uh56fE0.exe (PID: 1176)
  - AppLaunch.exe (PID: 848)
  - AppLaunch.exe (PID: 2708)
  - 3PS43RX.exe (PID: 2424)
  - 5Wo0ra6.exe (PID: 988)
  - 4yW137Xl.exe (PID: 3056)
  - AppLaunch.exe (PID: 2976)
  - explothe.exe (PID: 2592)
  - 6HD1BH3.exe (PID: 2116)
  - 7zp8VL57.exe (PID: 2780)
  - explothe.exe (PID: 1532)
  - explothe.exe (PID: 280)
- Create files in a temporary directory
  - bd0e1d539cf4fb629c481cc8be1672f5.exe (PID: 992)
  - ai6iV30.exe (PID: 2064)
  - hh3gd14.exe (PID: 2476)
  - Ip6Sf70.exe (PID: 2300)
  - RN0aZ98.exe (PID: 2472)
  - oN9QG66.exe (PID: 944)
  - 5Wo0ra6.exe (PID: 988)
  - 7zp8VL57.exe (PID: 2780)
- Reads the computer name
  - AppLaunch.exe (PID: 848)
  - AppLaunch.exe (PID: 2708)
  - AppLaunch.exe (PID: 2976)
  - 5Wo0ra6.exe (PID: 988)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
- Checks proxy server information
  - AppLaunch.exe (PID: 2708)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
- Reads the machine GUID from the registry
  - AppLaunch.exe (PID: 2708)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
  - AppLaunch.exe (PID: 2976)
- Reads Environment values
  - AppLaunch.exe (PID: 2976)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)
- Creates files or folders in the user directory
  - explothe.exe (PID: 2592)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(2592) explothe.exe

C2 (1)http://77.91.124.1

Version3.89

Options

Drop directoryS-%lu-

Drop name%-lu

Strings (120)-%lu

fefffe8cea

explothe.exe

SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

shutdown -s -t 0

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:25 00:49:06+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	1594368
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
280	C:\Users\admin\AppData\Local\Temp\fefffe8cea\explothe.exe	C:\Users\admin\AppData\Local\Temp\fefffe8cea\explothe.exe	—	taskeng.exe
User: admin Integrity Level: MEDIUM Exit code: 0
772	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:267521 /prefetch:2	C:\Program Files (x86)\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
848	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	—	1Uh56fE0.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Exit code: 0 Version: 4.7.2558.0 built by: NET471REL1
944	C:\Users\admin\AppData\Local\Temp\IXP004.TMP\oN9QG66.exe	C:\Users\admin\AppData\Local\Temp\IXP004.TMP\oN9QG66.exe	—	hh3gd14.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Win32 Cabinet Self-Extractor Exit code: 0 Version: 11.00.17763.1 (WinBuild.160101.0800)
980	CACLS "..\fefffe8cea" /P "admin:N"	C:\Windows\SysWOW64\cacls.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
988	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\5Wo0ra6.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\5Wo0ra6.exe	—	Ip6Sf70.exe
User: admin Integrity Level: MEDIUM Exit code: 0
992	"C:\Users\admin\AppData\Local\Temp\bd0e1d539cf4fb629c481cc8be1672f5.exe"	C:\Users\admin\AppData\Local\Temp\bd0e1d539cf4fb629c481cc8be1672f5.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Win32 Cabinet Self-Extractor Exit code: 0 Version: 11.00.17763.1 (WinBuild.160101.0800)
1072	C:\Windows\system32\cmd.exe /S /D /c" echo Y"	C:\Windows\SysWOW64\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
1176	C:\Users\admin\AppData\Local\Temp\IXP005.TMP\1Uh56fE0.exe	C:\Users\admin\AppData\Local\Temp\IXP005.TMP\1Uh56fE0.exe	—	oN9QG66.exe
User: admin Integrity Level: MEDIUM Exit code: 0
1284	"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login	C:\Program Files\Internet Explorer\iexplore.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700)

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
992	bd0e1d539cf4fb629c481cc8be1672f5.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\7zp8VL57.exe		executable
		MD5:7ABA44CE324BEC9DF8F2BC786F1BF7D6	SHA256:D89F6314DB04B2AA7E7E28E0FA12ED64DD6B9E7BCB3A852F50A39BCB9FB9CBD9
2064	ai6iV30.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\Ip6Sf70.exe		executable
		MD5:2E2322FBB41C0FC3B2AA9209B382B85D	SHA256:7023F8CD5A64535DB8A296104D3F5BA0DDB9E43EE92690BD8BFE10129A32EB60
992	bd0e1d539cf4fb629c481cc8be1672f5.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ai6iV30.exe		executable
		MD5:BBA766720D13F035E53CABBE2E64F9FD	SHA256:F4528DFEF29A84769039DBEF60277AB0750BA5E7846E88BDE60F29B33B73942B
2064	ai6iV30.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\6HD1BH3.exe		executable
		MD5:D7AA1AEBDE8209C65E18E0D01EBB81FB	SHA256:6A90E2A35A863497BA3EB37163C55872676AEE5B66B21596F4C68454472AB7D8
2300	Ip6Sf70.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\RN0aZ98.exe		executable
		MD5:E6711C4C54EF20C579918FFEE047CB62	SHA256:4A2EAEAF37DA43FF78E5CD22CAEC4095602231627784195980420AD27E3C8863
2472	RN0aZ98.exe	C:\Users\admin\AppData\Local\Temp\IXP003.TMP\hh3gd14.exe		executable
		MD5:EE7669F3629BD030332194BE97A7B743	SHA256:16D4514D40FF3A5465158D0AF675FDDB1D5876B72C41747B268666C723C5D3F4
944	oN9QG66.exe	C:\Users\admin\AppData\Local\Temp\IXP005.TMP\1Uh56fE0.exe		executable
		MD5:843F01EA473576ABFC35FD818C39A286	SHA256:DBE70CAAF474BA6775C6E4FC97AC9CF6DEE58D41FA1259F18BDE4E05D0298F05
2472	RN0aZ98.exe	C:\Users\admin\AppData\Local\Temp\IXP003.TMP\4yW137Xl.exe		executable
		MD5:E954F1A24852543A4D2822EEBDD44586	SHA256:0467A9AAF14F61F6841B93C179474A0BB77E8D07BFD2482EA3FF2B4767BC6EEE
2476	hh3gd14.exe	C:\Users\admin\AppData\Local\Temp\IXP004.TMP\oN9QG66.exe		executable
		MD5:5246AE164B931241F3C78FD100E84BB4	SHA256:349F5881064DC65677DF0884B807CBADD583847D538D472B91EBEB2FF762073E
2476	hh3gd14.exe	C:\Users\admin\AppData\Local\Temp\IXP004.TMP\3PS43RX.exe		executable
		MD5:C8B9D4C5A20617B4F43AC8C5FD0A81FC	SHA256:01A3AA2ECC71A2182F5DE49548EADE194C483F2F0734E3B1844721868261D3AC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2708	AppLaunch.exe	POST	200	193.233.255.73:80	http://193.233.255.73/loghub/master	unknown	text	8 b	unknown
2592	explothe.exe	GET	404	77.91.124.1:80	http://77.91.124.1/theme/Plugins/cred64.dll	unknown	html	273 b	unknown
2592	explothe.exe	POST	200	77.91.124.1:80	http://77.91.124.1/theme/index.php	unknown	text	6 b	unknown
2592	explothe.exe	GET	200	77.91.124.1:80	http://77.91.124.1/theme/Plugins/clip64.dll	unknown	executable	89.0 Kb	unknown
1944	explorer.exe	POST	404	77.91.68.29:80	http://77.91.68.29/fks/	unknown	binary	7 b	unknown
2116	6HD1BH3.exe	POST	200	193.233.255.73:80	http://193.233.255.73/loghub/master	unknown	text	8 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2708	AppLaunch.exe	193.233.255.73:80	—	LLC Baxet	RU	malicious
4	System	192.168.100.255:138	—	—	—	whitelisted
2116	6HD1BH3.exe	193.233.255.73:80	—	LLC Baxet	RU	malicious
2976	AppLaunch.exe	77.91.124.86:19084	—	Foton Telecom CJSC	RU	malicious
2464	iexplore.exe	157.240.253.35:443	www.facebook.com	FACEBOOK	DE	unknown
2592	explothe.exe	77.91.124.1:80	—	Foton Telecom CJSC	RU	malicious
2464	iexplore.exe	157.240.253.1:443	static.xx.fbcdn.net	FACEBOOK	DE	unknown

DNS requests

Domain	IP	Reputation
www.facebook.com	157.240.253.35	whitelisted
static.xx.fbcdn.net	157.240.253.1	whitelisted
facebook.com	157.240.253.35	whitelisted
fbcdn.net	157.240.253.35	whitelisted
fbsbx.com	157.240.253.35	whitelisted
accounts.google.com	216.58.206.45	shared
www.youtube.com	172.217.16.142 142.250.186.78 142.250.186.110 142.250.186.142 142.250.186.46 172.217.18.14 172.217.16.206 142.250.186.174 142.250.184.206 216.58.212.174 172.217.23.110 142.250.185.78 142.250.185.110 142.250.185.142 142.250.185.174 216.58.206.46	whitelisted
fonts.googleapis.com	142.250.186.74	whitelisted
fonts.gstatic.com	142.250.186.131	whitelisted
www.gstatic.com	142.250.184.227	whitelisted

Threats

PID	Process	Class	Message
2708	AppLaunch.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
2708	AppLaunch.exe	A Network Trojan was detected	STEALER [ANY.RUN] Win32/Stealc (Check-In)
2708	AppLaunch.exe	Potentially Bad Traffic	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2116	6HD1BH3.exe	Potentially Bad Traffic	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2976	AppLaunch.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
2976	AppLaunch.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2976	AppLaunch.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
2976	AppLaunch.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC - Id1Response
2592	explothe.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Bot Activity (POST) M2
2592	explothe.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Check-In

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

bd0e1d539cf4fb629c481cc8be1672f5.exe

BD0E1D539CF4FB629C481CC8BE1672F5

F79F1F705065C2659A04F4CBDA422DBD261D5DD4

A75A9DED208E0DE9A02823FD2D40B2163CB152869E67E5BFE08388204D7E6D6D

49152:gLnemIu6vMUrzHjzVpX7mLmJaluzxPYUWFxWh8IAQbu/3FDuziND+MFXatKLShAD:cn2fvrr/7mOalDBzl8u9LNLXatjhAY0k

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Application was dropped or rewritten from another process

Connects to the CnC server

Runs injected code in another process

STEALC has been detected (SURICATA)

Application was injected by another process

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

REDLINE has been detected (SURICATA)

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

Steals credentials from Web Browsers

SMOKE has been detected (SURICATA)

Actions looks like stealing of personal data

Loads dropped or rewritten executable

SUSPICIOUS

Process drops legitimate windows executable

Reads the Internet Settings

Starts itself from another location

Connects to the server without a host name

Starts CMD.EXE for commands execution

Uses ICACLS.EXE to modify access control lists

Application launched itself

Executing commands from a ".bat" file

The process executes via Task Scheduler

Connects to unusual port

Reads browser cookies

Searches for installed software

Process requests binary or script from the Internet

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Reads Environment values

Reads the Internet Settings

Creates files or folders in the user directory

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings