File name: | file |
Full analysis: | https://app.any.run/tasks/5cde136d-cee2-4d19-ac88-02afb7a9ce4e |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | December 05, 2022, 21:34:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive |
MD5: | 68425436636D032FABA7FE3E0A4ECE91 |
SHA1: | E7CCCF49A9EE8C0E922482FC1C9B99B197575F41 |
SHA256: | D0BE3792565AAE8BC68BD3AB3847B5D44298EB94EE6A09A7AF2C62305EBA3A78 |
SSDEEP: | 98304:Q+FWIWSdmDCk4h3dDCdh64mVWYZr8xpb7zr/KtG/VaucY/B:fFWIWHvPdh64+QN3r/KuaucY/B |
.exe | | | Inno Setup installer (82.8) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (10.7) |
.exe | | | Win32 Executable (generic) (3.4) |
.exe | | | Generic Win/DOS Executable (1.5) |
.exe | | | DOS Executable Generic (1.5) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 1992-Jun-19 22:22:17 |
Detected languages: |
|
Comments: | This installation was built with Inno Setup: http://www.innosetup.com |
CompanyName: | - |
FileDescription: | PrintFolders Setup |
FileVersion: | - |
InternalName: | - |
OriginalFilename: | - |
ProductName: | - |
ProductVersion: | - |
e_magic: | MZ |
---|---|
e_cblp: | 80 |
e_cp: | 2 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | 15 |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | 26 |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 8 |
TimeDateStamp: | 1992-Jun-19 22:22:17 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 4096 | 36352 | 36352 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60044 |
DATA | 40960 | 584 | 1024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.72043 |
BSS | 45056 | 3684 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.idata | 49152 | 2248 | 2560 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.2508 |
.tls | 53248 | 8 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rdata | 57344 | 24 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.199108 |
.reloc | 61440 | 2156 | 0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | |
.rsrc | 65536 | 167124 | 167424 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 5.27927 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.39383 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 5.94971 | 2440 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 5.5357 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 5.48577 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.25469 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 5.46372 | 21640 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 5.3545 | 38056 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 4.90318 | 67624 | Latin 1 / Western European | English - United States | RT_ICON |
4089 | 3.21823 | 754 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4090 | 3.31515 | 780 | Latin 1 / Western European | UNKNOWN | RT_STRING |
advapi32.dll |
advapi32.dll (#2) |
comctl32.dll |
kernel32.dll |
kernel32.dll (#2) |
oleaut32.dll |
user32.dll |
user32.dll (#2) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1968 | "C:\Users\admin\AppData\Local\Temp\file.exe" | C:\Users\admin\AppData\Local\Temp\file.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: PrintFolders Setup Exit code: 3221226540 Version: Modules
| |||||||||||||||
2676 | "C:\Users\admin\AppData\Local\Temp\file.exe" | C:\Users\admin\AppData\Local\Temp\file.exe | Explorer.EXE | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: PrintFolders Setup Exit code: 0 Version: Modules
| |||||||||||||||
2240 | "C:\Users\admin\AppData\Local\Temp\is-168FA.tmp\is-5A496.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\file.exe" 3604422 208896 | C:\Users\admin\AppData\Local\Temp\is-168FA.tmp\is-5A496.tmp | file.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.42.0.0 Modules
| |||||||||||||||
3200 | "C:\Program Files\PrintFolders\PrintFolders.exe" | C:\Program Files\PrintFolders\PrintFolders.exe | is-5A496.tmp | ||||||||||||
User: admin Company: Atr Software Integrity Level: HIGH Description: Data Recovery Exit code: 0 Version: 1.2.3.100 Modules
| |||||||||||||||
2640 | C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\xhbyVNTTPYfvh.exe | — | PrintFolders.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3788 | "C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe" | C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe | PrintFolders.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
1988 | "C:\Users\admin\AppData\Roaming\5wj7z\CpxFvK.exe" | C:\Users\admin\AppData\Roaming\5wj7z\CpxFvK.exe | PrintFolders.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
3156 | "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe" & exit | C:\Windows\System32\cmd.exe | — | iH0VCB.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3240 | timeout /t 6 | C:\Windows\system32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2288 | "C:\Users\admin\AppData\Roaming\9AIDp5ZPMO\VbuRgjs49.exe" | C:\Users\admin\AppData\Roaming\9AIDp5ZPMO\VbuRgjs49.exe | — | PrintFolders.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
|
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_CURRENT_USER\Software\Atzpoint Software\PrintFolders |
Operation: | write | Name: | Language |
Value: eng | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.1.2-beta | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files\PrintFolders | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\PrintFolders\ | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | Inno Setup: Icon Group |
Value: PrintFolders | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | DisplayName |
Value: PrintFolders 3.100 | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\PrintFolders\PrintFolders.exe | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\PrintFolders\unins000.exe" | |||
(PID) Process: | (2240) is-5A496.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1 |
Operation: | write | Name: | QuietUninstallString |
Value: "C:\Program Files\PrintFolders\unins000.exe" /SILENT |
PID | Process | Filename | Type | |
---|---|---|---|---|
2240 | is-5A496.tmp | C:\Program Files\PrintFolders\is-QKN25.tmp | — | |
MD5:— | SHA256:— | |||
2240 | is-5A496.tmp | C:\Program Files\PrintFolders\PrintFolders.exe | — | |
MD5:— | SHA256:— | |||
3200 | PrintFolders.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ping[1].htm | text | |
MD5:064DB2A4C3D31A4DC6AA2538F3FE7377 | SHA256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 | |||
2240 | is-5A496.tmp | C:\Program Files\PrintFolders\unins000.exe | executable | |
MD5:BCD1868E95254F9531A7FF38461C0D72 | SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C | |||
2240 | is-5A496.tmp | C:\Program Files\PrintFolders\unins000.dat | dat | |
MD5:EF6AB9378BD76B936156D5CA46FB834E | SHA256:4842E479CE38E1A0B0134F5F4E931D1FE061040E999BC01BEF84064D6B473D06 | |||
2676 | file.exe | C:\Users\admin\AppData\Local\Temp\is-168FA.tmp\is-5A496.tmp | executable | |
MD5:10C841B0221D6870DE7C951EAF5B1DA9 | SHA256:4252858D9C6D8D55F829D7E418EA8357FD26FBDF8C0FCE1FED23A8C720A8807E | |||
3200 | PrintFolders.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fuckingdllENCR[1].dll | binary | |
MD5:418619EA97671304AF80EC60F5A50B62 | SHA256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 | |||
2240 | is-5A496.tmp | C:\Program Files\PrintFolders\is-RVMIF.tmp | executable | |
MD5:BCD1868E95254F9531A7FF38461C0D72 | SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C | |||
3200 | PrintFolders.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MIXTWO[1].file | executable | |
MD5:82FFD848564AC867037CED13F3A90254 | SHA256:6FA59F3A7612D254EF4DB1E1474A234421B590CDF856CDA134411EC0E9BF697B | |||
3200 | PrintFolders.exe | C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\xhbyVNTTPYfvh.exe | executable | |
MD5:3FB36CB0B7172E5298D2992D42984D06 | SHA256:27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3200 | PrintFolders.exe | GET | 200 | 107.182.129.235:80 | http://107.182.129.235/storage/extension.php | US | binary | 92.0 Kb | malicious |
3200 | PrintFolders.exe | GET | 200 | 107.182.129.235:80 | http://107.182.129.235/storage/ping.php | US | text | 17 b | malicious |
3200 | PrintFolders.exe | GET | 200 | 171.22.30.106:80 | http://171.22.30.106/library.php | GB | executable | 3.78 Mb | malicious |
3788 | iH0VCB.exe | GET | 200 | 195.201.250.87:80 | http://195.201.250.87/update.zip | DE | compressed | 3.47 Mb | malicious |
3788 | iH0VCB.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
3200 | PrintFolders.exe | GET | 200 | 171.22.30.106:80 | http://171.22.30.106/library.php | GB | executable | 386 Kb | malicious |
3788 | iH0VCB.exe | GET | 200 | 67.27.158.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?152da92c4ef394c2 | US | compressed | 4.70 Kb | whitelisted |
3800 | gntuud.exe | POST | — | 77.73.133.72:80 | http://77.73.133.72/hfk3vK9/index.php | KZ | — | — | malicious |
3788 | iH0VCB.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D | US | der | 1.74 Kb | whitelisted |
3788 | iH0VCB.exe | GET | 200 | 195.201.250.87:80 | http://195.201.250.87/1787 | DE | text | 110 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3200 | PrintFolders.exe | 107.182.129.235:80 | — | Delis LLC | US | malicious |
3788 | iH0VCB.exe | 192.124.249.22:80 | ocsp.godaddy.com | SUCURI-SEC | US | suspicious |
3788 | iH0VCB.exe | 67.27.158.126:80 | ctldl.windowsupdate.com | LEVEL3 | US | malicious |
3200 | PrintFolders.exe | 45.139.105.171:80 | — | Xdeer Limited | BG | malicious |
3200 | PrintFolders.exe | 171.22.30.106:80 | — | Delis LLC | US | malicious |
3800 | gntuud.exe | 77.73.133.72:80 | — | Partner LLC | KZ | malicious |
3320 | rundll32.exe | 77.73.133.72:80 | — | Partner LLC | KZ | malicious |
3788 | iH0VCB.exe | 195.201.250.87:80 | — | Hetzner Online GmbH | DE | malicious |
3788 | iH0VCB.exe | 149.154.167.99:443 | t.me | Telegram Messenger Inc | GB | malicious |
Domain | IP | Reputation |
---|---|---|
t.me |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3200 | PrintFolders.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3200 | PrintFolders.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3200 | PrintFolders.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3200 | PrintFolders.exe | Misc activity | ET INFO Packed Executable Download |
3200 | PrintFolders.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3200 | PrintFolders.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3788 | iH0VCB.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host ZIP Request |
3788 | iH0VCB.exe | A Network Trojan was detected | ET TROJAN Arkei/Vidar/Mars Stealer Variant |
3200 | PrintFolders.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3200 | PrintFolders.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |