analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4838245.doc

Full analysis: https://app.any.run/tasks/6ea29fbb-f955-4971-8126-429740cd5fcc
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: April 23, 2019, 08:50:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
loader
trojan
amadey
rat
azorult
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

BB8F410028DA1CEDD5DC84CE3605894D

SHA1:

E10CBC7BD729FA3C63A4D5127BFD191D1A77B658

SHA256:

D7E42CF34DCE49C1287EE180186863E8FA9CAF9ACD507A3DB3CA8798A1B8326E

SSDEEP:

3072:8/luOqPkeSeJLZQMqkFbB/05GbLyAa71OtQvVZgK1sCIfBuZG:CUOoJmot1Pa71IQ3F1sCIz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • smjalrc.exe (PID: 2980)
      • vuyj43.tmp (PID: 3528)
      • azor.exe (PID: 3076)
      • azor.exe (PID: 876)
      • vuyj43.tmp (PID: 2052)
    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 2184)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2184)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2184)
    • AMADEY was detected

      • smjalrc.exe (PID: 2980)
    • Changes the Startup folder

      • REG.exe (PID: 3996)
    • AZORULT was detected

      • azor.exe (PID: 876)
    • Connects to CnC server

      • azor.exe (PID: 876)
      • smjalrc.exe (PID: 2980)
    • Downloads executable files from the Internet

      • smjalrc.exe (PID: 2980)
    • Loads dropped or rewritten executable

      • azor.exe (PID: 876)
    • Actions looks like stealing of personal data

      • azor.exe (PID: 876)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • vuyj43.tmp (PID: 3528)
      • smjalrc.exe (PID: 2980)
      • azor.exe (PID: 876)
    • Starts application with an unusual extension

      • WINWORD.EXE (PID: 2184)
    • Starts itself from another location

      • vuyj43.tmp (PID: 3528)
    • Creates files in the program directory

      • vuyj43.tmp (PID: 3528)
    • Uses REG.EXE to modify Windows registry

      • smjalrc.exe (PID: 2980)
    • Connects to server without host name

      • smjalrc.exe (PID: 2980)
    • Reads the cookies of Google Chrome

      • azor.exe (PID: 876)
    • Reads the cookies of Mozilla Firefox

      • azor.exe (PID: 876)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2184)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start winword.exe vuyj43.tmp #AMADEY smjalrc.exe reg.exe azor.exe no specs #AZORULT azor.exe vuyj43.tmp no specs

Process information

PID
CMD
Path
Indicators
Parent process
2184"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4838245.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3528C:\Users\admin\AppData\Local\Temp\vuyj43.tmpC:\Users\admin\AppData\Local\Temp\vuyj43.tmp
WINWORD.EXE
User:
admin
Company:
Social Finance
Integrity Level:
MEDIUM
Description:
Captcha Mother Iobjectaccesscontrol Duplexed
Exit code:
0
Version:
6.8.2.5
2980c:\programdata\fe97e9e43b\smjalrc.exec:\programdata\fe97e9e43b\smjalrc.exe
vuyj43.tmp
User:
admin
Company:
Social Finance
Integrity Level:
MEDIUM
Description:
Captcha Mother Iobjectaccesscontrol Duplexed
Version:
6.8.2.5
3996REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\fe97e9e43bC:\Windows\system32\REG.exe
smjalrc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3076C:\Users\admin\AppData\Local\Temp\azor.exeC:\Users\admin\AppData\Local\Temp\azor.exesmjalrc.exe
User:
admin
Company:
Dimension Bots
Integrity Level:
MEDIUM
Description:
Dimension Bots - Life time activator
Exit code:
0
Version:
89.449.612.359
876"C:\Users\admin\AppData\Local\Temp\azor.exe"C:\Users\admin\AppData\Local\Temp\azor.exe
azor.exe
User:
admin
Company:
Dimension Bots
Integrity Level:
MEDIUM
Description:
Dimension Bots - Life time activator
Exit code:
0
Version:
89.449.612.359
2052C:\Users\admin\AppData\Local\Temp\vuyj43.tmpC:\Users\admin\AppData\Local\Temp\vuyj43.tmpWINWORD.EXE
User:
admin
Company:
Social Finance
Integrity Level:
MEDIUM
Description:
Captcha Mother Iobjectaccesscontrol Duplexed
Exit code:
0
Version:
6.8.2.5
Total events
1 344
Read events
973
Write events
0
Delete events
0

Modification events

No data
Executable files
53
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2E8F.tmp.cvr
MD5:
SHA256:
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF56041827451E3DAD.TMP
MD5:
SHA256:
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF5326928B8A6DD441.TMP
MD5:
SHA256:
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF5AFB9CDAF9BA3D91.TMP
MD5:
SHA256:
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF236E35E53203A04E.TMP
MD5:
SHA256:
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC759288653BD5EAF.TMP
MD5:
SHA256:
2184WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC61C04E15EDCD693.TMP
MD5:
SHA256:
3528vuyj43.tmpC:\ProgramData\0
MD5:
SHA256:
3528vuyj43.tmpC:\programdata\fe97e9e43b\smjalrc.exe:Zone.Identifier
MD5:
SHA256:
2980smjalrc.exeC:\ProgramData\0
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2980
smjalrc.exe
POST
200
95.179.189.49:80
http://95.179.189.49/CC/index.php
GR
text
54 b
malicious
2980
smjalrc.exe
GET
200
185.180.198.176:80
http://johnnobab.com/base222/azor.exe
US
executable
850 Kb
malicious
2184
WINWORD.EXE
GET
200
87.98.158.248:80
http://trinatcapererpicel.info/word66.tmp
FR
executable
383 Kb
suspicious
2980
smjalrc.exe
POST
200
95.179.189.49:80
http://95.179.189.49/CC/index.php
GR
text
6 b
malicious
876
azor.exe
POST
200
185.180.198.176:80
http://johnnobab.com/
US
binary
4.27 Mb
malicious
876
azor.exe
POST
200
185.180.198.176:80
http://johnnobab.com/
US
text
2 b
malicious
2980
smjalrc.exe
POST
200
95.179.189.49:80
http://95.179.189.49/CC/index.php
GR
text
6 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2184
WINWORD.EXE
87.98.158.248:80
trinatcapererpicel.info
OVH SAS
FR
suspicious
95.179.189.49:80
Cosmoline Telecommunication Services S.A.
GR
malicious
2980
smjalrc.exe
185.180.198.176:80
johnnobab.com
Hosting Solution Ltd.
US
suspicious
876
azor.exe
185.180.198.176:80
johnnobab.com
Hosting Solution Ltd.
US
suspicious
2980
smjalrc.exe
95.179.189.49:80
Cosmoline Telecommunication Services S.A.
GR
malicious

DNS requests

Domain
IP
Reputation
trinatcapererpicel.info
  • 87.98.158.248
suspicious
johnnobab.com
  • 185.180.198.176
malicious

Threats

PID
Process
Class
Message
2184
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2184
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2184
WINWORD.EXE
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
2980
smjalrc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
2980
smjalrc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
2980
smjalrc.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2980
smjalrc.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
876
azor.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
876
azor.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult Request
876
azor.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult Response
4 ETPRO signatures available at the full report
No debug info