File name: | 6273837.doc |
Full analysis: | https://app.any.run/tasks/ff5ae4c6-cf22-4a29-b425-4e70019d27fc |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | April 23, 2019, 11:31:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | BB8F410028DA1CEDD5DC84CE3605894D |
SHA1: | E10CBC7BD729FA3C63A4D5127BFD191D1A77B658 |
SHA256: | D7E42CF34DCE49C1287EE180186863E8FA9CAF9ACD507A3DB3CA8798A1B8326E |
SSDEEP: | 3072:8/luOqPkeSeJLZQMqkFbB/05GbLyAa71OtQvVZgK1sCIfBuZG:CUOoJmot1Pa71IQ3F1sCIz |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2828 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\6273837.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2856 | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | WINWORD.EXE | |
User: admin Company: Social Finance Integrity Level: MEDIUM Description: Captcha Mother Iobjectaccesscontrol Duplexed Exit code: 0 Version: 6.8.2.5 | ||||
2604 | c:\programdata\fe97e9e43b\smjalrc.exe | c:\programdata\fe97e9e43b\smjalrc.exe | vuyj43.tmp | |
User: admin Company: Social Finance Integrity Level: MEDIUM Description: Captcha Mother Iobjectaccesscontrol Duplexed Version: 6.8.2.5 | ||||
3912 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\fe97e9e43b | C:\Windows\system32\REG.exe | smjalrc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3920 | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | — | WINWORD.EXE |
User: admin Company: Social Finance Integrity Level: MEDIUM Description: Captcha Mother Iobjectaccesscontrol Duplexed Exit code: 0 Version: 6.8.2.5 | ||||
3660 | C:\Users\admin\AppData\Local\Temp\azor.exe | C:\Users\admin\AppData\Local\Temp\azor.exe | — | smjalrc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2128 | C:\Users\admin\AppData\Local\Temp\azor.exe | C:\Users\admin\AppData\Local\Temp\azor.exe | azor.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFC2B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF90B433E6FFEB2EF7.TMP | — | |
MD5:— | SHA256:— | |||
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA88A8D85AD97BD00.TMP | — | |
MD5:— | SHA256:— | |||
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFE2ACA0D68CD406A5.TMP | — | |
MD5:— | SHA256:— | |||
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF36C92D06BE22E656.TMP | — | |
MD5:— | SHA256:— | |||
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD525A963180DA485.TMP | — | |
MD5:— | SHA256:— | |||
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD13FAE32972F2A20.TMP | — | |
MD5:— | SHA256:— | |||
2856 | vuyj43.tmp | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
2856 | vuyj43.tmp | C:\programdata\fe97e9e43b\smjalrc.exe:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2604 | smjalrc.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2604 | smjalrc.exe | GET | 200 | 185.180.198.176:80 | http://johnnobab.com/base222/azor.exe | US | executable | 180 Kb | malicious |
2604 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | — | — | malicious |
2604 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
2828 | WINWORD.EXE | GET | 200 | 87.98.158.248:80 | http://trinatcapererpicel.info/word66.tmp | FR | executable | 383 Kb | suspicious |
2604 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
2604 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 54 b | malicious |
2604 | smjalrc.exe | POST | 200 | 95.179.189.49:80 | http://95.179.189.49/CC/index.php | GR | text | 6 b | malicious |
2128 | azor.exe | POST | 200 | 185.180.198.176:80 | http://johnnobab.com/ | US | text | 4 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2604 | smjalrc.exe | 95.179.189.49:80 | — | Cosmoline Telecommunication Services S.A. | GR | malicious |
2828 | WINWORD.EXE | 87.98.158.248:80 | trinatcapererpicel.info | OVH SAS | FR | suspicious |
2604 | smjalrc.exe | 185.180.198.176:80 | johnnobab.com | Hosting Solution Ltd. | US | suspicious |
2128 | azor.exe | 185.180.198.176:80 | johnnobab.com | Hosting Solution Ltd. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
trinatcapererpicel.info |
| suspicious |
johnnobab.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2828 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2828 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2828 | WINWORD.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
2604 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2604 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2604 | smjalrc.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2128 | azor.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2128 | azor.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
2604 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2604 | smjalrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |