URL: | https://onedrive.live.com/download.aspx?authkey=!AIQ9egAT7k2gD08&cid=15128527F18DE6B7&resid=15128527F18DE6B7!105&parId=root&o=OneUp |
Full analysis: | https://app.any.run/tasks/3bf22610-d4d1-40bc-b69a-88f29a65b114 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | February 21, 2020, 18:36:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 8E257FCB70395419D223F645980DF866 |
SHA1: | 9EB9F938E5B539E8EC67450273C4679458A16232 |
SHA256: | D6EE815536A4448B6D5BD81A8474584AF3F30E473C591CBEACBE4E206F5F109F |
SSDEEP: | 3:N8Ck3CTwKKfMTE4X4uUQUEjbAWA5QNjwKQ6zKHJV:2CkST/Kf+E5QN3jNTFyb |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2412 | "C:\Program Files\Internet Explorer\iexplore.exe" https://onedrive.live.com/download.aspx?authkey=!AIQ9egAT7k2gD08&cid=15128527F18DE6B7&resid=15128527F18DE6B7!105&parId=root&o=OneUp | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2756 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2412 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2972 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Factura_H857-45_PDF.tar.z" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 Modules
| |||||||||||||||
3888 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2972.24144\Factura H857-45 PDF 68314327388519392170462410704891832387045998858265423686856368463893527217314350005463051907763.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2972.24144\Factura H857-45 PDF 68314327388519392170462410704891832387045998858265423686856368463893527217314350005463051907763.exe | WinRAR.exe | ||||||||||||
User: admin Company: Zenefits Integrity Level: MEDIUM Description: Sailboat Example1 Exit code: 0 Version: 8.9.9.3 Modules
| |||||||||||||||
3400 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2568 | c:\programdata\268352e06c\gvsaa.exe | c:\programdata\268352e06c\gvsaa.exe | Factura H857-45 PDF 68314327388519392170462410704891832387045998858265423686856368463893527217314350005463051907763.exe | ||||||||||||
User: admin Company: Zenefits Integrity Level: MEDIUM Description: Sailboat Example1 Version: 8.9.9.3 Modules
| |||||||||||||||
552 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\268352e06c | C:\Windows\system32\REG.exe | gvsaa.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
944 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\admin\AppData\Local\Temp\cred.dll, Main" | C:\Windows\system32\REG.exe | gvsaa.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3384 | rundll32.exe C:\Users\admin\AppData\Local\Temp\cred.dll, Main | C:\Windows\system32\rundll32.exe | gvsaa.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2136 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2972.30140\Factura H857-45 PDF 68314327388519392170462410704891832387045998858265423686856368463893527217314350005463051907763.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2972.30140\Factura H857-45 PDF 68314327388519392170462410704891832387045998858265423686856368463893527217314350005463051907763.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Zenefits Integrity Level: MEDIUM Description: Sailboat Example1 Exit code: 0 Version: 8.9.9.3 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2756 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab6EC0.tmp | — | |
MD5:— | SHA256:— | |||
2756 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar6EC1.tmp | — | |
MD5:— | SHA256:— | |||
2412 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF2EF7B66DD6A65C9C.TMP | — | |
MD5:— | SHA256:— | |||
2412 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Factura_H857-45_PDF.tar.z.7fkn8kj.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
3888 | Factura H857-45 PDF 68314327388519392170462410704891832387045998858265423686856368463893527217314350005463051907763.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
3888 | Factura H857-45 PDF 68314327388519392170462410704891832387045998858265423686856368463893527217314350005463051907763.exe | C:\programdata\268352e06c\gvsaa.exe:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2412 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\CabD7B6.tmp | — | |
MD5:— | SHA256:— | |||
2412 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\TarD7B7.tmp | — | |
MD5:— | SHA256:— | |||
2412 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD7C8.tmp | — | |
MD5:— | SHA256:— | |||
2412 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\DQ817MIF.txt | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3384 | rundll32.exe | POST | 200 | 217.8.117.64:80 | http://217.8.117.64/theCC/index.php | unknown | — | — | malicious |
2756 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2568 | gvsaa.exe | GET | 200 | 217.8.117.64:80 | http://217.8.117.64/theCC/cred.dll | unknown | executable | 71.5 Kb | malicious |
2756 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
2568 | gvsaa.exe | POST | 200 | 217.8.117.64:80 | http://217.8.117.64/theCC/index.php | unknown | text | 6 b | malicious |
2568 | gvsaa.exe | POST | 200 | 217.8.117.64:80 | http://217.8.117.64/theCC/index.php | unknown | text | 6 b | malicious |
2568 | gvsaa.exe | POST | 200 | 217.8.117.64:80 | http://217.8.117.64/theCC/index.php | unknown | text | 6 b | malicious |
1052 | svchost.exe | GET | 200 | 13.107.4.50:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.4 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2756 | iexplore.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
2756 | iexplore.exe | 13.107.42.12:443 | 3wgxbq.bn.files.1drv.com | Microsoft Corporation | US | suspicious |
2412 | iexplore.exe | 204.79.197.200:443 | ieonline.microsoft.com | Microsoft Corporation | US | whitelisted |
2412 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2756 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2568 | gvsaa.exe | 217.8.117.64:80 | — | — | — | malicious |
1052 | svchost.exe | 13.107.4.50:80 | www.download.windowsupdate.com | Microsoft Corporation | US | whitelisted |
3384 | rundll32.exe | 217.8.117.64:80 | — | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
ocsp.digicert.com |
| whitelisted |
3wgxbq.bn.files.1drv.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2568 | gvsaa.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
2568 | gvsaa.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
2568 | gvsaa.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2568 | gvsaa.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
2568 | gvsaa.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2568 | gvsaa.exe | A Network Trojan was detected | ET TROJAN Amadey CnC Check-In |
2568 | gvsaa.exe | A Network Trojan was detected | AV TROJAN Agent.DHOA System Info Exfiltration |
2568 | gvsaa.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2568 | gvsaa.exe | A Network Trojan was detected | MALWARE [PTsecurity] Amadey |
2568 | gvsaa.exe | A Network Trojan was detected | ET TROJAN Amadey CnC Check-In |