Malware analysis bd0e1d539cf4fb629c481cc8be1672f5.exe Malicious activity

Add for printing

File name:	bd0e1d539cf4fb629c481cc8be1672f5.exe
Full analysis:	https://app.any.run/tasks/04749ff5-a3a9-47e8-bfd2-ee7d80a87334
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	October 26, 2023, 22:46:26
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	stealc stealer sinkhole redline amadey botnet trojan loader smoke opendir
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	BD0E1D539CF4FB629C481CC8BE1672F5
SHA1:	F79F1F705065C2659A04F4CBDA422DBD261D5DD4
SHA256:	A75A9DED208E0DE9A02823FD2D40B2163CB152869E67E5BFE08388204D7E6D6D
SSDEEP:	49152:gLnemIu6vMUrzHjzVpX7mLmJaluzxPYUWFxWh8IAQbu/3FDuziND+MFXatKLShAD:cn2fvrr/7mOalDBzl8u9LNLXatjhAY0k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - bd0e1d539cf4fb629c481cc8be1672f5.exe (PID: 992)
  - ai6iV30.exe (PID: 2064)
  - Ip6Sf70.exe (PID: 2300)
  - RN0aZ98.exe (PID: 2472)
  - oN9QG66.exe (PID: 944)
  - hh3gd14.exe (PID: 2476)
  - 5Wo0ra6.exe (PID: 988)
  - explothe.exe (PID: 2592)
- Application was dropped or rewritten from another process
  - Ip6Sf70.exe (PID: 2300)
  - ai6iV30.exe (PID: 2064)
  - hh3gd14.exe (PID: 2476)
  - 1Uh56fE0.exe (PID: 1176)
  - RN0aZ98.exe (PID: 2472)
  - oN9QG66.exe (PID: 944)
  - 2Wx0735.exe (PID: 2216)
  - 3PS43RX.exe (PID: 2424)
  - 4yW137Xl.exe (PID: 3056)
  - 5Wo0ra6.exe (PID: 988)
  - explothe.exe (PID: 2592)
  - 7zp8VL57.exe (PID: 2780)
  - explothe.exe (PID: 1532)
  - explothe.exe (PID: 280)
  - 6HD1BH3.exe (PID: 2116)
- STEALC has been detected (SURICATA)
  - AppLaunch.exe (PID: 2708)
- Connects to the CnC server
  - AppLaunch.exe (PID: 2708)
  - AppLaunch.exe (PID: 2976)
  - explothe.exe (PID: 2592)
  - explorer.exe (PID: 1944)
- Runs injected code in another process
  - 3PS43RX.exe (PID: 2424)
- Application was injected by another process
  - explorer.exe (PID: 1944)
- Uses Task Scheduler to run other applications
  - explothe.exe (PID: 2592)
- Changes the autorun value in the registry
  - explothe.exe (PID: 2592)
- AMADEY has been detected (SURICATA)
  - explothe.exe (PID: 2592)
- Steals credentials from Web Browsers
  - AppLaunch.exe (PID: 2976)
- AMADEY has been detected (YARA)
  - explothe.exe (PID: 2592)
- REDLINE has been detected (SURICATA)
  - AppLaunch.exe (PID: 2976)
- Loads dropped or rewritten executable
  - rundll32.exe (PID: 2504)
- Actions looks like stealing of personal data
  - AppLaunch.exe (PID: 2976)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 1944)
SUSPICIOUS
- Process drops legitimate windows executable
  - bd0e1d539cf4fb629c481cc8be1672f5.exe (PID: 992)
  - ai6iV30.exe (PID: 2064)
  - RN0aZ98.exe (PID: 2472)
  - Ip6Sf70.exe (PID: 2300)
  - hh3gd14.exe (PID: 2476)
- Reads the Internet Settings
  - AppLaunch.exe (PID: 2708)
  - 5Wo0ra6.exe (PID: 988)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
  - cmd.exe (PID: 2664)
- Connects to the server without a host name
  - AppLaunch.exe (PID: 2708)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
  - explorer.exe (PID: 1944)
- Starts itself from another location
  - 5Wo0ra6.exe (PID: 988)
- Starts CMD.EXE for commands execution
  - explothe.exe (PID: 2592)
  - cmd.exe (PID: 1788)
  - 7zp8VL57.exe (PID: 2780)
- Application launched itself
  - cmd.exe (PID: 1788)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 1788)
- Executing commands from a ".bat" file
  - 7zp8VL57.exe (PID: 2780)
- The process executes via Task Scheduler
  - explothe.exe (PID: 1532)
  - explothe.exe (PID: 280)
- Connects to unusual port
  - AppLaunch.exe (PID: 2976)
- Searches for installed software
  - AppLaunch.exe (PID: 2976)
- Reads browser cookies
  - AppLaunch.exe (PID: 2976)
- Process requests binary or script from the Internet
  - explothe.exe (PID: 2592)
INFO
- Create files in a temporary directory
  - bd0e1d539cf4fb629c481cc8be1672f5.exe (PID: 992)
  - ai6iV30.exe (PID: 2064)
  - Ip6Sf70.exe (PID: 2300)
  - RN0aZ98.exe (PID: 2472)
  - oN9QG66.exe (PID: 944)
  - 5Wo0ra6.exe (PID: 988)
  - hh3gd14.exe (PID: 2476)
  - 7zp8VL57.exe (PID: 2780)
- Checks supported languages
  - bd0e1d539cf4fb629c481cc8be1672f5.exe (PID: 992)
  - ai6iV30.exe (PID: 2064)
  - Ip6Sf70.exe (PID: 2300)
  - RN0aZ98.exe (PID: 2472)
  - hh3gd14.exe (PID: 2476)
  - AppLaunch.exe (PID: 848)
  - oN9QG66.exe (PID: 944)
  - 2Wx0735.exe (PID: 2216)
  - 1Uh56fE0.exe (PID: 1176)
  - AppLaunch.exe (PID: 2708)
  - 3PS43RX.exe (PID: 2424)
  - 4yW137Xl.exe (PID: 3056)
  - AppLaunch.exe (PID: 2976)
  - 5Wo0ra6.exe (PID: 988)
  - explothe.exe (PID: 2592)
  - 6HD1BH3.exe (PID: 2116)
  - 7zp8VL57.exe (PID: 2780)
  - explothe.exe (PID: 1532)
  - explothe.exe (PID: 280)
- Reads the computer name
  - AppLaunch.exe (PID: 848)
  - AppLaunch.exe (PID: 2708)
  - AppLaunch.exe (PID: 2976)
  - 5Wo0ra6.exe (PID: 988)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
- Checks proxy server information
  - AppLaunch.exe (PID: 2708)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
- Reads the machine GUID from the registry
  - AppLaunch.exe (PID: 2708)
  - AppLaunch.exe (PID: 2976)
  - 6HD1BH3.exe (PID: 2116)
  - explothe.exe (PID: 2592)
- Reads Environment values
  - AppLaunch.exe (PID: 2976)
- Reads the Internet Settings
  - explorer.exe (PID: 1944)
- Creates files or folders in the user directory
  - explothe.exe (PID: 2592)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(2592) explothe.exe

C2 (1)http://77.91.124.1

Version3.89

Options

Drop directoryS-%lu-

Drop name%-lu

Strings (120)-%lu

fefffe8cea

explothe.exe

SCHTASKS

/Create /SC MINUTE /MO 1 /TN

/TR "

" /F

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Rem

cmd /C RMDIR /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32

/Delete /TN "

Programs

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%

\App

POST

GET

id=

&vs=

&sd=

&os=

&bi=

&ar=

&pc=

&un=

&dm=

&av=

&lv=

&og=

cred.dll|clip.dll|

Main

http://

https://

exe

dll

cmd

ps1

<c>

<d>

Plugins/

+++

&unit=

shell32.dll

kernel32.dll

GetNativeSystemInfo

ProgramData\

AVAST Software

Avira

Kaspersky Lab

ESET

Panda Security

Doctor Web

AVG

360TotalSecurity

Bitdefender

Norton

Sophos

Comodo

WinDefender

0123456789

Content-Type: multipart/form-data; boundary=----

------

Content-Disposition: form-data; name="data"; filename="

" Content-Type: application/octet-stream

------

?scr=1

.jpg

Content-Type: application/x-www-form-urlencoded

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

ComputerName

abcdefghijklmnopqrstuvwxyz0123456789-_

-unicode-

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

SYSTEM\ControlSet001\Services\BasicDisplay\Video

VideoID

\0000

DefaultSettings.XResolution

DefaultSettings.YResolution

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

2019

2022

2016

CurrentBuild

echo Y|CACLS "

" /P "

:N"

CACLS "

" /P "

:R" /E

:F" /E

&&Exit

..\

:::

rundll32.exe

"taskkill /f /im "

" && timeout 1 && del

&& Exit"

" && ren

Powershell.exe

-executionpolicy remotesigned -File "

shutdown -s -t 0

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:25 00:49:06+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	1594368
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

280

C:\Users\admin\AppData\Local\Temp\fefffe8cea\explothe.exe

—

taskeng.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\fefffe8cea\explothe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

772

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:267521 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

848

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

—

1Uh56fE0.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET ClickOnce Launch Utility

Exit code:

Version:

4.7.2558.0 built by: NET471REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

944

C:\Users\admin\AppData\Local\Temp\IXP004.TMP\oN9QG66.exe

—

hh3gd14.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

11.00.17763.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\ixp004.tmp\on9qg66.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

980

CACLS "..\fefffe8cea" /P "admin:N"

C:\Windows\SysWOW64\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Control ACLs Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

988

C:\Users\admin\AppData\Local\Temp\IXP002.TMP\5Wo0ra6.exe

—

Ip6Sf70.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\ixp002.tmp\5wo0ra6.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

992

"C:\Users\admin\AppData\Local\Temp\bd0e1d539cf4fb629c481cc8be1672f5.exe"

C:\Users\admin\AppData\Local\Temp\bd0e1d539cf4fb629c481cc8be1672f5.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

11.00.17763.1 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\bd0e1d539cf4fb629c481cc8be1672f5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\lpk.dll

1072

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1176

C:\Users\admin\AppData\Local\Temp\IXP005.TMP\1Uh56fE0.exe

—

oN9QG66.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\ixp005.tmp\1uh56fe0.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1284

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll

Add for printing

Total events

12 482

Read events

12 273

Write events

208

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A00000000020000000000106600000001000020000000AED9F7A034803824C8B1E828E6ACF7A63C03C62037EFED43278AD26DABE640A1000000000E8000000002000020000000AB5403F7CEBF10DFE341ABEBBEE1A84444EBC55972843D61F9FD20F3F0EABE92B0000000FC067D59D0357C58872FB611AE92F67CAF2B1FDF280A6E076A7077808FDF9D6902A616185711F2BC394A2B6D44B08968CB658980494D87797413D932F0415C59BCEE2F408C91017ECA1A09CFF46B78A1DDEB7B1A1E3900CE68E46CBA92E3449C11FF6689058BD2FEA4CC617DA5D154EC67F4E85B3C7D41EDD704426CE486FED6952A1CDA27E0F58502A85DA834FC59F375E4A11757B352567CADFEF8F2BB497E437086EEA56B957D31DAA98C7F678CCB4000000048300250278A78A5D4898CA43F5197F9B50DF81CBC35B6CAA716E6F42642EECD0299AF2C0B69703D12B9CACBDB5AD7A7001D20D662BA32D05CD6D99A1234653A
(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(2708) AppLaunch.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2708) AppLaunch.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2708) AppLaunch.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2708) AppLaunch.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000C1000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1944) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(988) 5Wo0ra6.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(988) 5Wo0ra6.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(988) 5Wo0ra6.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2300	Ip6Sf70.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\5Wo0ra6.exe		executable
		MD5:647DE676B14474F2813D5A4686D476C7	SHA256:3038A8735E2DEC2135A69F1B1CC396AE379AD45CA80A43D7CAE9EE5F25A19188
2064	ai6iV30.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\6HD1BH3.exe		executable
		MD5:D7AA1AEBDE8209C65E18E0D01EBB81FB	SHA256:6A90E2A35A863497BA3EB37163C55872676AEE5B66B21596F4C68454472AB7D8
944	oN9QG66.exe	C:\Users\admin\AppData\Local\Temp\IXP005.TMP\2Wx0735.exe		executable
		MD5:3BCE8F81C93107A73226C5748A827F60	SHA256:5731659B2210A5253BAD70D175C5B6A456821E3287D2118910C9C8F40303F440
944	oN9QG66.exe	C:\Users\admin\AppData\Local\Temp\IXP005.TMP\1Uh56fE0.exe		executable
		MD5:843F01EA473576ABFC35FD818C39A286	SHA256:DBE70CAAF474BA6775C6E4FC97AC9CF6DEE58D41FA1259F18BDE4E05D0298F05
2476	hh3gd14.exe	C:\Users\admin\AppData\Local\Temp\IXP004.TMP\oN9QG66.exe		executable
		MD5:5246AE164B931241F3C78FD100E84BB4	SHA256:349F5881064DC65677DF0884B807CBADD583847D538D472B91EBEB2FF762073E
2464	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\iaGxcrtiWqg[1].css		text
		MD5:B273FE801A9F2C93D14610E25D8B127B	SHA256:3E8FAE8108E77A67064E5A31DD05A9D5A81AA39AB0B3FCB750387EB69DF4AD91
2464	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\yotEdcUw9Gj[1].css		text
		MD5:3028BE8549D0256C7CA0DFB9ED82FD83	SHA256:A77AABD09C9363B9A7E78221B1DFAA2F7F20D2C6B88F839C9118DB747044BFAD
2472	RN0aZ98.exe	C:\Users\admin\AppData\Local\Temp\IXP003.TMP\hh3gd14.exe		executable
		MD5:EE7669F3629BD030332194BE97A7B743	SHA256:16D4514D40FF3A5465158D0AF675FDDB1D5876B72C41747B268666C723C5D3F4
988	5Wo0ra6.exe	C:\Users\admin\AppData\Local\Temp\fefffe8cea\explothe.exe		executable
		MD5:647DE676B14474F2813D5A4686D476C7	SHA256:3038A8735E2DEC2135A69F1B1CC396AE379AD45CA80A43D7CAE9EE5F25A19188
2464	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\js7_npiLBW4[1].css		text
		MD5:0F7166C1B84259163BFAE021E3EF733A	SHA256:D4EA2354C408BBFD1C6721EDBC1AD40F283684956A5BF768FDA90F2EA9FD9870

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2116	6HD1BH3.exe	POST	200	193.233.255.73:80	http://193.233.255.73/loghub/master	unknown	text	8 b	unknown
2592	explothe.exe	GET	404	77.91.124.1:80	http://77.91.124.1/theme/Plugins/cred64.dll	unknown	html	273 b	unknown
1944	explorer.exe	POST	404	77.91.68.29:80	http://77.91.68.29/fks/	unknown	binary	7 b	unknown
2592	explothe.exe	GET	200	77.91.124.1:80	http://77.91.124.1/theme/Plugins/clip64.dll	unknown	executable	89.0 Kb	unknown
2592	explothe.exe	POST	200	77.91.124.1:80	http://77.91.124.1/theme/index.php	unknown	text	6 b	unknown
2708	AppLaunch.exe	POST	200	193.233.255.73:80	http://193.233.255.73/loghub/master	unknown	text	8 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2708	AppLaunch.exe	193.233.255.73:80	—	LLC Baxet	RU	malicious
4	System	192.168.100.255:138	—	—	—	whitelisted
2116	6HD1BH3.exe	193.233.255.73:80	—	LLC Baxet	RU	malicious
2976	AppLaunch.exe	77.91.124.86:19084	—	Foton Telecom CJSC	RU	malicious
2464	iexplore.exe	157.240.253.35:443	www.facebook.com	FACEBOOK	DE	unknown
2592	explothe.exe	77.91.124.1:80	—	Foton Telecom CJSC	RU	malicious
2464	iexplore.exe	157.240.253.1:443	static.xx.fbcdn.net	FACEBOOK	DE	unknown

DNS requests

Domain	IP	Reputation
www.facebook.com	157.240.253.35	whitelisted
static.xx.fbcdn.net	157.240.253.1	whitelisted
facebook.com	157.240.253.35	whitelisted
fbcdn.net	157.240.253.35	whitelisted
fbsbx.com	157.240.253.35	whitelisted
accounts.google.com	216.58.206.45	shared
www.youtube.com	172.217.16.142 142.250.186.78 142.250.186.110 142.250.186.142 142.250.186.46 172.217.18.14 172.217.16.206 142.250.186.174 142.250.184.206 216.58.212.174 172.217.23.110 142.250.185.78 142.250.185.110 142.250.185.142 142.250.185.174 216.58.206.46	whitelisted
fonts.googleapis.com	142.250.186.74	whitelisted
fonts.gstatic.com	142.250.186.131	whitelisted
www.gstatic.com	142.250.184.227	whitelisted

Threats

PID	Process	Class	Message
2708	AppLaunch.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
2708	AppLaunch.exe	A Network Trojan was detected	STEALER [ANY.RUN] Win32/Stealc (Check-In)
2708	AppLaunch.exe	Potentially Bad Traffic	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2116	6HD1BH3.exe	Potentially Bad Traffic	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2976	AppLaunch.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
2976	AppLaunch.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2976	AppLaunch.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
2976	AppLaunch.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC - Id1Response
2592	explothe.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Bot Activity (POST) M2
2592	explothe.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Check-In

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

bd0e1d539cf4fb629c481cc8be1672f5.exe

BD0E1D539CF4FB629C481CC8BE1672F5

F79F1F705065C2659A04F4CBDA422DBD261D5DD4

A75A9DED208E0DE9A02823FD2D40B2163CB152869E67E5BFE08388204D7E6D6D

49152:gLnemIu6vMUrzHjzVpX7mLmJaluzxPYUWFxWh8IAQbu/3FDuziND+MFXatKLShAD:cn2fvrr/7mOalDBzl8u9LNLXatjhAY0k

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Application was dropped or rewritten from another process

STEALC has been detected (SURICATA)

Connects to the CnC server

Runs injected code in another process

Application was injected by another process

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

AMADEY has been detected (SURICATA)

Steals credentials from Web Browsers

AMADEY has been detected (YARA)

REDLINE has been detected (SURICATA)

Loads dropped or rewritten executable

Actions looks like stealing of personal data

SMOKE has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

Reads the Internet Settings

Connects to the server without a host name

Starts itself from another location

Starts CMD.EXE for commands execution

Application launched itself

Uses ICACLS.EXE to modify access control lists

Executing commands from a ".bat" file

The process executes via Task Scheduler

Connects to unusual port

Searches for installed software

Reads browser cookies

Process requests binary or script from the Internet

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Reads Environment values

Reads the Internet Settings

Creates files or folders in the user directory

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules