File name: | Setup_for_Windows_64_32.zip |
Full analysis: | https://app.any.run/tasks/d4c41845-ddcf-4088-8bdf-0b58dcc20613 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | March 31, 2023, 19:31:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 67868EBAAB6B822187F155CA206C2977 |
SHA1: | D3FE25BADD2E2A7A52B8084D35560322A8C70458 |
SHA256: | C5D8BC4D847D8313F178F08C573EDD09B7EB37FD72E8A1E83B373C78EC5AF63A |
SSDEEP: | 196608:wybt5vlVbAl/rcx00r+U3lfD75Rf2eqn/dIM59:wU9KjcxHZVfD7nf2eqn// |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2023:03:31 11:07:24 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | Setup_for_Window`s_64_32/ |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2368 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Setup_for_Windows_64_32.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3380 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Setup_for_Window`s_64_32.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Setup_for_Window`s_64_32.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
2700 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Setup_for_Window`s_64_32.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Setup_for_Window`s_64_32.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3572 | "C:\Users\admin\AppData\Local\Temp\eb256e24ee\oneetx.exe" | C:\Users\admin\AppData\Local\Temp\eb256e24ee\oneetx.exe | Setup_for_Window`s_64_32.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
1820 | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\admin\AppData\Local\Temp\eb256e24ee\oneetx.exe" /F | C:\Windows\System32\schtasks.exe | — | oneetx.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2708 | "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "admin:N"&&CACLS "oneetx.exe" /P "admin:R" /E&&echo Y|CACLS "..\eb256e24ee" /P "admin:N"&&CACLS "..\eb256e24ee" /P "admin:R" /E&&Exit | C:\Windows\System32\cmd.exe | — | oneetx.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1112 | C:\Windows\system32\cmd.exe /S /D /c" echo Y" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
852 | CACLS "oneetx.exe" /P "admin:N" | C:\Windows\System32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2420 | CACLS "oneetx.exe" /P "admin:R" /E | C:\Windows\System32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
884 | C:\Windows\system32\cmd.exe /S /D /c" echo Y" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Globalization\Time Zone\timezones.xml | xml | |
MD5:18E0EF07E9049182AB229930E12E85F0 | SHA256:B906F2F0C6DAB2B02A4008D101A6711125DAB9C94712953DA72B1F66421143EC | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Language\Chinese.xml | xml | |
MD5:343825705C23B0A9C7FBA9BEEAAC05F5 | SHA256:5707276F6917AADB4978DD13F7A421FD0A2514E17BF1352BABCDC993B22835ED | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Language\English.xml | xml | |
MD5:1B997BF91F80AEDE6130CD20D9D70788 | SHA256:8941745E1D14E3D92D28173CFC8BB9DD14BD6438CDC8405334241136579076A3 | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Globalization\Time Zone\timezoneMapping.xml | xml | |
MD5:F0281D2A00DDBBD90C9721F235B3124F | SHA256:D133EE1969118CC6048B31507497D3AF16C724A0D9CA4F666F5316785FC8A952 | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Language\Deutsch.xml | xml | |
MD5:5AE7BF927F6B8AD74C68FABFDE5B7EEE | SHA256:0C99D65A3A4C33D175B74784DE5F8B1DFCD81D3BB11B0D85D9DF9E8A7386FFB2 | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Language\italiano.xml | xml | |
MD5:D0AD2EEAE00F091E87BF7ED627EF1DDB | SHA256:ED6CA5C237939265A881FB3FAABE1D2F9FDCCDC3711E135A029CCB8581D57C27 | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Globalization\icuuc58.dll | executable | |
MD5:659004D01D1DEFC4AC242B0940152C1D | SHA256:DCDEB0275B81100BC87542A78133C190F82103FEF50D3E763379934443C3BA35 | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Globalization\icuin58.dll | executable | |
MD5:D69462B430EDDC76EE5AFCDD0A967DF5 | SHA256:D7A7C278C8B6A96D7C085175224B34F01F55826BD81C142A56F47043A6863BE8 | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Language\Chinese Traditional.xml | xml | |
MD5:71E8150855B133EFC2FB99396EAC84EA | SHA256:A8113C836E805EB82FA1B26E99BFC9D230CA375AD05F2A1311F921BD18B76A5C | |||
2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2368.6800\Setup_for_Window`s_64_32\Language\Czech.xml | xml | |
MD5:B52A08B22245AA6737809A046994BA07 | SHA256:F64F326B26F5100822DBB0F4D78291E474A0AA4F44A9332864589CD57BC8E300 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3572 | oneetx.exe | POST | 200 | 77.91.78.118:80 | http://77.91.78.118/u83mfdS2/index.php?scr=1 | RU | — | — | malicious |
3572 | oneetx.exe | GET | 404 | 77.91.78.118:80 | http://77.91.78.118/u83mfdS2/Plugins/cred.dll | RU | html | 162 b | malicious |
3572 | oneetx.exe | GET | 200 | 77.91.78.118:80 | http://77.91.78.118/u83mfdS2/Plugins/clip.dll | RU | executable | 89.0 Kb | malicious |
3572 | oneetx.exe | POST | 200 | 77.91.78.118:80 | http://77.91.78.118/u83mfdS2/index.php | RU | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3572 | oneetx.exe | 77.91.78.118:80 | — | Foton Telecom CJSC | RU | malicious |
PID | Process | Class | Message |
---|---|---|---|
3572 | oneetx.exe | A Network Trojan was detected | AV TROJAN Agent.DHOA System Info Exfiltration |
3572 | oneetx.exe | Unknown Classtype | ET MALWARE Amadey CnC Check-In |
3572 | oneetx.exe | A Network Trojan was detected | ET MALWARE Amadey Bot Activity (POST) |
3572 | oneetx.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3572 | oneetx.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .dll file with no User-Agent |
3572 | oneetx.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3572 | oneetx.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .dll file with no User-Agent |
3572 | oneetx.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3572 | oneetx.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3572 | oneetx.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |