File name: | C:\Users\admin\Desktop\POkT0kGQnV.vbs |
Full analysis: | https://app.any.run/tasks/f829a2af-a88b-4e7a-9360-539a661dcb12 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | April 25, 2019, 13:41:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 4C3050CF3F8FCCD49AEE889FCDBFF385 |
SHA1: | 81ADE25537A2B8037ED4B429D17358A860E3C66C |
SHA256: | E4663565C569D2CB65CAE46A7F73DA6C970B7E58DF4BDF9575CB820466E7B1C7 |
SSDEEP: | 384:OofYgmwj5LNE80PmiCLOoHrdD02Kvxt3leKmasQlEjcJe2e9sHtO3R8gN:tfYfwj5NWBCLDHrdD02Ut3BmasQlEjcs |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1548 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\POkT0kGQnV.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
644 | "C:\Users\admin\Desktop\wKPoj5TIuO.exe" | C:\Users\admin\Desktop\wKPoj5TIuO.exe | WScript.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3768 | c:\programdata\f64a428dfd\cmualrc.exe | c:\programdata\f64a428dfd\cmualrc.exe | wKPoj5TIuO.exe | |
User: admin Integrity Level: MEDIUM | ||||
1492 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\f64a428dfd | C:\Windows\system32\REG.exe | cmualrc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2364 | C:\Users\admin\AppData\Local\Temp\ES_a.exe | C:\Users\admin\AppData\Local\Temp\ES_a.exe | cmualrc.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1548 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@file[1].txt | — | |
MD5:— | SHA256:— | |||
644 | wKPoj5TIuO.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
644 | wKPoj5TIuO.exe | C:\programdata\f64a428dfd\cmualrc.exe:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
3768 | cmualrc.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
2364 | ES_a.exe | C:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd | — | |
MD5:— | SHA256:— | |||
2364 | ES_a.exe | C:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd | — | |
MD5:— | SHA256:— | |||
2364 | ES_a.exe | C:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd | — | |
MD5:— | SHA256:— | |||
2364 | ES_a.exe | C:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd | — | |
MD5:— | SHA256:— | |||
2364 | ES_a.exe | C:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd | — | |
MD5:— | SHA256:— | |||
2364 | ES_a.exe | C:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2364 | ES_a.exe | POST | 200 | 163.172.84.54:80 | http://163.172.84.54/filename.php | FR | — | — | malicious |
— | — | POST | 200 | 163.172.84.54:80 | http://163.172.84.54/filename.php | FR | — | — | malicious |
3768 | cmualrc.exe | POST | 200 | 37.34.176.37:80 | http://gohaiendo.com/ppk/index.php | KW | — | — | malicious |
— | — | POST | 200 | 163.172.84.54:80 | http://163.172.84.54/filename.php | FR | — | — | malicious |
— | — | POST | 200 | 163.172.84.54:80 | http://163.172.84.54/filename.php | FR | — | — | malicious |
3768 | cmualrc.exe | POST | 200 | 37.34.176.37:80 | http://gohaiendo.com/ppk/index.php | KW | text | 40 b | malicious |
— | — | POST | 200 | 163.172.84.54:80 | http://163.172.84.54/filename.php | FR | — | — | malicious |
3768 | cmualrc.exe | GET | 200 | 212.108.64.41:80 | http://afpl.ie/ES_a.exe | GB | executable | 404 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3768 | cmualrc.exe | 212.108.64.41:80 | afpl.ie | The Internet Business Ltd | GB | suspicious |
2364 | ES_a.exe | 163.172.84.54:80 | — | Online S.a.s. | FR | malicious |
1548 | WScript.exe | 209.43.40.101:443 | file.ac | IQuest Internet | US | suspicious |
— | — | 163.172.84.54:80 | — | Online S.a.s. | FR | malicious |
3768 | cmualrc.exe | 37.34.176.37:80 | gohaiendo.com | Mobile Telecommunications Company | KW | malicious |
Domain | IP | Reputation |
---|---|---|
file.ac |
| whitelisted |
gohaiendo.com |
| malicious |
afpl.ie |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3768 | cmualrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3768 | cmualrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3768 | cmualrc.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2364 | ES_a.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.PWS.Siggen2.Stealer |