analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

file

Full analysis: https://app.any.run/tasks/5cde136d-cee2-4d19-ac88-02afb7a9ce4e
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: December 05, 2022, 21:34:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
loader
gcleaner
stealer
vidar
amadey
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

68425436636D032FABA7FE3E0A4ECE91

SHA1:

E7CCCF49A9EE8C0E922482FC1C9B99B197575F41

SHA256:

D0BE3792565AAE8BC68BD3AB3847B5D44298EB94EE6A09A7AF2C62305EBA3A78

SSDEEP:

98304:Q+FWIWSdmDCk4h3dDCdh64mVWYZr8xpb7zr/KtG/VaucY/B:fFWIWHvPdh64+QN3r/KuaucY/B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • gntuud.exe (PID: 3800)
    • Application was dropped or rewritten from another process

      • xhbyVNTTPYfvh.exe (PID: 2640)
      • iH0VCB.exe (PID: 3788)
      • CpxFvK.exe (PID: 1988)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 3800)
      • gntuud.exe (PID: 476)
      • gntuud.exe (PID: 2172)
    • G-cleaner network activity is detected

      • PrintFolders.exe (PID: 3200)
    • VIDAR was detected

      • iH0VCB.exe (PID: 3788)
    • Steals credentials from Web Browsers

      • iH0VCB.exe (PID: 3788)
    • Loads dropped or rewritten executable

      • iH0VCB.exe (PID: 3788)
      • rundll32.exe (PID: 3320)
    • Changes the Startup folder

      • gntuud.exe (PID: 3800)
    • Changes the autorun value in the registry

      • gntuud.exe (PID: 3800)
    • Uses Task Scheduler to run other applications

      • gntuud.exe (PID: 3800)
    • AMADEY was detected

      • gntuud.exe (PID: 3800)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2920)
    • Connects to the CnC server

      • gntuud.exe (PID: 3800)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • gntuud.exe (PID: 3800)
    • Creates a directory in Program Files

      • is-5A496.tmp (PID: 2240)
    • Reads the Windows owner or organization settings

      • is-5A496.tmp (PID: 2240)
    • Reads Microsoft Outlook installation path

      • PrintFolders.exe (PID: 3200)
    • Reads the Internet Settings

      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 3800)
    • Connects to the server without a host name

      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • gntuud.exe (PID: 3800)
    • Reads settings of System Certificates

      • iH0VCB.exe (PID: 3788)
    • Reads security settings of Internet Explorer

      • iH0VCB.exe (PID: 3788)
    • Checks Windows Trust Settings

      • iH0VCB.exe (PID: 3788)
    • Searches for installed software

      • iH0VCB.exe (PID: 3788)
    • Reads browser cookies

      • iH0VCB.exe (PID: 3788)
    • Starts CMD.EXE for commands execution

      • iH0VCB.exe (PID: 3788)
      • PrintFolders.exe (PID: 3200)
    • Starts CMD.EXE for self-deleting

      • iH0VCB.exe (PID: 3788)
    • Starts itself from another location

      • VbuRgjs49.exe (PID: 2288)
    • Uses TASKKILL.EXE to terminate process

      • cmd.exe (PID: 2452)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2452)
    • Executes via Task Scheduler

      • gntuud.exe (PID: 476)
      • gntuud.exe (PID: 2172)
    • Uses RUNDLL32.EXE to load library

      • gntuud.exe (PID: 3800)
    • Drops a file with too old compile date

      • gntuud.exe (PID: 3800)
    • Process requests binary or script from the Internet

      • gntuud.exe (PID: 3800)
  • INFO

    • Checks supported languages

      • file.exe (PID: 2676)
      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • xhbyVNTTPYfvh.exe (PID: 2640)
      • iH0VCB.exe (PID: 3788)
      • CpxFvK.exe (PID: 1988)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 3800)
      • gntuud.exe (PID: 476)
      • gntuud.exe (PID: 2172)
    • Reads the computer name

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 3800)
    • Creates a file in a temporary directory

      • file.exe (PID: 2676)
      • is-5A496.tmp (PID: 2240)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 3800)
    • Creates files in the program directory

      • is-5A496.tmp (PID: 2240)
      • iH0VCB.exe (PID: 3788)
    • Drops a file that was compiled in debug mode

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
    • Loads dropped or rewritten executable

      • is-5A496.tmp (PID: 2240)
    • Application was dropped or rewritten from another process

      • is-5A496.tmp (PID: 2240)
    • Creates a software uninstall entry

      • is-5A496.tmp (PID: 2240)
    • Checks proxy server information

      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • gntuud.exe (PID: 3800)
    • Reads product name

      • iH0VCB.exe (PID: 3788)
    • Reads CPU info

      • iH0VCB.exe (PID: 3788)
    • Reads Environment values

      • iH0VCB.exe (PID: 3788)
    • Reads the CPU's name

      • iH0VCB.exe (PID: 3788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName: -
FileDescription: PrintFolders Setup
FileVersion: -
InternalName: -
OriginalFilename: -
ProductName: -
ProductVersion: -

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
36352
36352
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60044
DATA
40960
584
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.72043
BSS
45056
3684
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
49152
2248
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.2508
.tls
53248
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
57344
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.199108
.reloc
61440
2156
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
65536
167124
167424
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.27927

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.39383
1128
Latin 1 / Western European
English - United States
RT_ICON
2
5.94971
2440
Latin 1 / Western European
English - United States
RT_ICON
3
5.5357
4264
Latin 1 / Western European
English - United States
RT_ICON
4
5.48577
9640
Latin 1 / Western European
English - United States
RT_ICON
5
5.25469
16936
Latin 1 / Western European
English - United States
RT_ICON
6
5.46372
21640
Latin 1 / Western European
English - United States
RT_ICON
7
5.3545
38056
Latin 1 / Western European
English - United States
RT_ICON
8
4.90318
67624
Latin 1 / Western European
English - United States
RT_ICON
4089
3.21823
754
Latin 1 / Western European
UNKNOWN
RT_STRING
4090
3.31515
780
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
17
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start file.exe no specs file.exe is-5a496.tmp #GCLEANER printfolders.exe xhbyvnttpyfvh.exe no specs #VIDAR ih0vcb.exe cpxfvk.exe cmd.exe no specs timeout.exe no specs vburgjs49.exe no specs #AMADEY gntuud.exe schtasks.exe no specs cmd.exe no specs taskkill.exe no specs gntuud.exe no specs rundll32.exe gntuud.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1968"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
PrintFolders Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
2676"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Integrity Level:
HIGH
Description:
PrintFolders Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2240"C:\Users\admin\AppData\Local\Temp\is-168FA.tmp\is-5A496.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\file.exe" 3604422 208896 C:\Users\admin\AppData\Local\Temp\is-168FA.tmp\is-5A496.tmp
file.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.42.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-168fa.tmp\is-5a496.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3200"C:\Program Files\PrintFolders\PrintFolders.exe" C:\Program Files\PrintFolders\PrintFolders.exe
is-5A496.tmp
User:
admin
Company:
Atr Software
Integrity Level:
HIGH
Description:
Data Recovery
Exit code:
0
Version:
1.2.3.100
Modules
Images
c:\program files\printfolders\printfolders.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2640 C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\xhbyVNTTPYfvh.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\xhbyvnttpyfvh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
3788"C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe"C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\scxoqb\ih0vcb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
1988"C:\Users\admin\AppData\Roaming\5wj7z\CpxFvK.exe"C:\Users\admin\AppData\Roaming\5wj7z\CpxFvK.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\5wj7z\cpxfvk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
3156"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe" & exitC:\Windows\System32\cmd.exeiH0VCB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3240timeout /t 6 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2288"C:\Users\admin\AppData\Roaming\9AIDp5ZPMO\VbuRgjs49.exe"C:\Users\admin\AppData\Roaming\9AIDp5ZPMO\VbuRgjs49.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\9aidp5zpmo\vburgjs49.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
Total events
9 084
Read events
8 971
Write events
111
Delete events
2

Modification events

(PID) Process:(2240) is-5A496.tmpKey:HKEY_CURRENT_USER\Software\Atzpoint Software\PrintFolders
Operation:writeName:Language
Value:
eng
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.1.2-beta
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\PrintFolders
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\PrintFolders\
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
PrintFolders
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayName
Value:
PrintFolders 3.100
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PrintFolders\PrintFolders.exe
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe"
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe" /SILENT
Executable files
25
Suspicious files
10
Text files
7
Unknown types
14

Dropped files

PID
Process
Filename
Type
2240is-5A496.tmpC:\Program Files\PrintFolders\is-QKN25.tmp
MD5:
SHA256:
2240is-5A496.tmpC:\Program Files\PrintFolders\PrintFolders.exe
MD5:
SHA256:
3200PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ping[1].htmtext
MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
SHA256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
2240is-5A496.tmpC:\Program Files\PrintFolders\unins000.exeexecutable
MD5:BCD1868E95254F9531A7FF38461C0D72
SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C
2240is-5A496.tmpC:\Program Files\PrintFolders\unins000.datdat
MD5:EF6AB9378BD76B936156D5CA46FB834E
SHA256:4842E479CE38E1A0B0134F5F4E931D1FE061040E999BC01BEF84064D6B473D06
2676file.exeC:\Users\admin\AppData\Local\Temp\is-168FA.tmp\is-5A496.tmpexecutable
MD5:10C841B0221D6870DE7C951EAF5B1DA9
SHA256:4252858D9C6D8D55F829D7E418EA8357FD26FBDF8C0FCE1FED23A8C720A8807E
3200PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fuckingdllENCR[1].dllbinary
MD5:418619EA97671304AF80EC60F5A50B62
SHA256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
2240is-5A496.tmpC:\Program Files\PrintFolders\is-RVMIF.tmpexecutable
MD5:BCD1868E95254F9531A7FF38461C0D72
SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C
3200PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MIXTWO[1].fileexecutable
MD5:82FFD848564AC867037CED13F3A90254
SHA256:6FA59F3A7612D254EF4DB1E1474A234421B590CDF856CDA134411EC0E9BF697B
3200PrintFolders.exeC:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\xhbyVNTTPYfvh.exeexecutable
MD5:3FB36CB0B7172E5298D2992D42984D06
SHA256:27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
12
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3200
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/extension.php
US
binary
92.0 Kb
malicious
3200
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/ping.php
US
text
17 b
malicious
3200
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
3.78 Mb
malicious
3788
iH0VCB.exe
GET
200
195.201.250.87:80
http://195.201.250.87/update.zip
DE
compressed
3.47 Mb
malicious
3788
iH0VCB.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
3200
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
386 Kb
malicious
3788
iH0VCB.exe
GET
200
67.27.158.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?152da92c4ef394c2
US
compressed
4.70 Kb
whitelisted
3800
gntuud.exe
POST
77.73.133.72:80
http://77.73.133.72/hfk3vK9/index.php
KZ
malicious
3788
iH0VCB.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D
US
der
1.74 Kb
whitelisted
3788
iH0VCB.exe
GET
200
195.201.250.87:80
http://195.201.250.87/1787
DE
text
110 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3200
PrintFolders.exe
107.182.129.235:80
Delis LLC
US
malicious
3788
iH0VCB.exe
192.124.249.22:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
3788
iH0VCB.exe
67.27.158.126:80
ctldl.windowsupdate.com
LEVEL3
US
malicious
3200
PrintFolders.exe
45.139.105.171:80
Xdeer Limited
BG
malicious
3200
PrintFolders.exe
171.22.30.106:80
Delis LLC
US
malicious
3800
gntuud.exe
77.73.133.72:80
Partner LLC
KZ
malicious
3320
rundll32.exe
77.73.133.72:80
Partner LLC
KZ
malicious
3788
iH0VCB.exe
195.201.250.87:80
Hetzner Online GmbH
DE
malicious
3788
iH0VCB.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 67.27.158.126
  • 67.27.157.126
  • 8.253.207.120
  • 8.248.135.254
  • 8.253.204.120
whitelisted
ocsp.godaddy.com
  • 192.124.249.22
  • 192.124.249.23
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.24
whitelisted

Threats

PID
Process
Class
Message
3200
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3200
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3200
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3200
PrintFolders.exe
Misc activity
ET INFO Packed Executable Download
3200
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3200
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3788
iH0VCB.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
3788
iH0VCB.exe
A Network Trojan was detected
ET TROJAN Arkei/Vidar/Mars Stealer Variant
3200
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3200
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2 ETPRO signatures available at the full report
No debug info