File name: | 5160514.doc |
Full analysis: | https://app.any.run/tasks/80464c35-e9f8-44ed-a346-50bf0642cec9 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | April 23, 2019, 12:09:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | BB8F410028DA1CEDD5DC84CE3605894D |
SHA1: | E10CBC7BD729FA3C63A4D5127BFD191D1A77B658 |
SHA256: | D7E42CF34DCE49C1287EE180186863E8FA9CAF9ACD507A3DB3CA8798A1B8326E |
SSDEEP: | 3072:8/luOqPkeSeJLZQMqkFbB/05GbLyAa71OtQvVZgK1sCIfBuZG:CUOoJmot1Pa71IQ3F1sCIz |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2912 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\5160514.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2660 | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | WINWORD.EXE | |
User: admin Company: Social Finance Integrity Level: MEDIUM Description: Captcha Mother Iobjectaccesscontrol Duplexed Exit code: 0 Version: 6.8.2.5 | ||||
4036 | c:\programdata\fe97e9e43b\smjalrc.exe | c:\programdata\fe97e9e43b\smjalrc.exe | vuyj43.tmp | |
User: admin Company: Social Finance Integrity Level: MEDIUM Description: Captcha Mother Iobjectaccesscontrol Duplexed Version: 6.8.2.5 | ||||
2148 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\fe97e9e43b | C:\Windows\system32\REG.exe | smjalrc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFD54.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7629F32AA914964E.TMP | — | |
MD5:— | SHA256:— | |||
2912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3F47E06D8EAE1BDE.TMP | — | |
MD5:— | SHA256:— | |||
2912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF8BDC1FE20B619469.TMP | — | |
MD5:— | SHA256:— | |||
2912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA2BA3C8A8DBE0D2B.TMP | — | |
MD5:— | SHA256:— | |||
2912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF875721D01E0BEDA5.TMP | — | |
MD5:— | SHA256:— | |||
2912 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF6901483296D4B27B.TMP | — | |
MD5:— | SHA256:— | |||
2660 | vuyj43.tmp | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
2660 | vuyj43.tmp | C:\programdata\fe97e9e43b\smjalrc.exe:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
4036 | smjalrc.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2912 | WINWORD.EXE | GET | 200 | 87.98.158.248:80 | http://trinatcapererpicel.info/word66.tmp | FR | executable | 383 Kb | suspicious |
4036 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
4036 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
4036 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
4036 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2912 | WINWORD.EXE | 87.98.158.248:80 | trinatcapererpicel.info | OVH SAS | FR | suspicious |
4036 | smjalrc.exe | 95.179.189.49:80 | — | Cosmoline Telecommunication Services S.A. | GR | malicious |
— | — | 95.179.189.49:80 | — | Cosmoline Telecommunication Services S.A. | GR | malicious |
Domain | IP | Reputation |
---|---|---|
trinatcapererpicel.info |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2912 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2912 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2912 | WINWORD.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
4036 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
4036 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
4036 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
4036 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
4036 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
4036 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
4036 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |