File name: | 4838245.doc |
Full analysis: | https://app.any.run/tasks/6ea29fbb-f955-4971-8126-429740cd5fcc |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | April 23, 2019, 08:50:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | BB8F410028DA1CEDD5DC84CE3605894D |
SHA1: | E10CBC7BD729FA3C63A4D5127BFD191D1A77B658 |
SHA256: | D7E42CF34DCE49C1287EE180186863E8FA9CAF9ACD507A3DB3CA8798A1B8326E |
SSDEEP: | 3072:8/luOqPkeSeJLZQMqkFbB/05GbLyAa71OtQvVZgK1sCIfBuZG:CUOoJmot1Pa71IQ3F1sCIz |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2184 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4838245.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3528 | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | WINWORD.EXE | |
User: admin Company: Social Finance Integrity Level: MEDIUM Description: Captcha Mother Iobjectaccesscontrol Duplexed Exit code: 0 Version: 6.8.2.5 | ||||
2980 | c:\programdata\fe97e9e43b\smjalrc.exe | c:\programdata\fe97e9e43b\smjalrc.exe | vuyj43.tmp | |
User: admin Company: Social Finance Integrity Level: MEDIUM Description: Captcha Mother Iobjectaccesscontrol Duplexed Version: 6.8.2.5 | ||||
3996 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\fe97e9e43b | C:\Windows\system32\REG.exe | smjalrc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3076 | C:\Users\admin\AppData\Local\Temp\azor.exe | C:\Users\admin\AppData\Local\Temp\azor.exe | — | smjalrc.exe |
User: admin Company: Dimension Bots Integrity Level: MEDIUM Description: Dimension Bots - Life time activator Exit code: 0 Version: 89.449.612.359 | ||||
876 | "C:\Users\admin\AppData\Local\Temp\azor.exe" | C:\Users\admin\AppData\Local\Temp\azor.exe | azor.exe | |
User: admin Company: Dimension Bots Integrity Level: MEDIUM Description: Dimension Bots - Life time activator Exit code: 0 Version: 89.449.612.359 | ||||
2052 | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | — | WINWORD.EXE |
User: admin Company: Social Finance Integrity Level: MEDIUM Description: Captcha Mother Iobjectaccesscontrol Duplexed Exit code: 0 Version: 6.8.2.5 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2E8F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF56041827451E3DAD.TMP | — | |
MD5:— | SHA256:— | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5326928B8A6DD441.TMP | — | |
MD5:— | SHA256:— | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5AFB9CDAF9BA3D91.TMP | — | |
MD5:— | SHA256:— | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF236E35E53203A04E.TMP | — | |
MD5:— | SHA256:— | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC759288653BD5EAF.TMP | — | |
MD5:— | SHA256:— | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC61C04E15EDCD693.TMP | — | |
MD5:— | SHA256:— | |||
3528 | vuyj43.tmp | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
3528 | vuyj43.tmp | C:\programdata\fe97e9e43b\smjalrc.exe:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2980 | smjalrc.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2980 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 54 b | malicious |
2980 | smjalrc.exe | GET | 200 | 185.180.198.176:80 | http://johnnobab.com/base222/azor.exe | US | executable | 850 Kb | malicious |
2184 | WINWORD.EXE | GET | 200 | 87.98.158.248:80 | http://trinatcapererpicel.info/word66.tmp | FR | executable | 383 Kb | suspicious |
2980 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
876 | azor.exe | POST | 200 | 185.180.198.176:80 | http://johnnobab.com/ | US | binary | 4.27 Mb | malicious |
876 | azor.exe | POST | 200 | 185.180.198.176:80 | http://johnnobab.com/ | US | text | 2 b | malicious |
2980 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2184 | WINWORD.EXE | 87.98.158.248:80 | trinatcapererpicel.info | OVH SAS | FR | suspicious |
— | — | 95.179.189.49:80 | — | Cosmoline Telecommunication Services S.A. | GR | malicious |
2980 | smjalrc.exe | 185.180.198.176:80 | johnnobab.com | Hosting Solution Ltd. | US | suspicious |
876 | azor.exe | 185.180.198.176:80 | johnnobab.com | Hosting Solution Ltd. | US | suspicious |
2980 | smjalrc.exe | 95.179.189.49:80 | — | Cosmoline Telecommunication Services S.A. | GR | malicious |
Domain | IP | Reputation |
---|---|---|
trinatcapererpicel.info |
| suspicious |
johnnobab.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2184 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2184 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2184 | WINWORD.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
2980 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2980 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2980 | smjalrc.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2980 | smjalrc.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
876 | azor.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
876 | azor.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
876 | azor.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Response |