analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

C:\Users\admin\Desktop\POkT0kGQnV.vbs

Full analysis: https://app.any.run/tasks/f829a2af-a88b-4e7a-9360-539a661dcb12
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 13:41:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
amadey
loader
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

4C3050CF3F8FCCD49AEE889FCDBFF385

SHA1:

81ADE25537A2B8037ED4B429D17358A860E3C66C

SHA256:

E4663565C569D2CB65CAE46A7F73DA6C970B7E58DF4BDF9575CB820466E7B1C7

SSDEEP:

384:OofYgmwj5LNE80PmiCLOoHrdD02Kvxt3leKmasQlEjcJe2e9sHtO3R8gN:tfYfwj5NWBCLDHrdD02Ut3BmasQlEjcs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the Startup folder

      • REG.exe (PID: 1492)

    • Changes settings of System certificates

      • WScript.exe (PID: 1548)

    • Connects to CnC server

      • cmualrc.exe (PID: 3768)

    • Application was dropped or rewritten from another process

      • ES_a.exe (PID: 2364)
      • cmualrc.exe (PID: 3768)
      • wKPoj5TIuO.exe (PID: 644)

    • Downloads executable files from the Internet

      • cmualrc.exe (PID: 3768)

    • AMADEY was detected

      • cmualrc.exe (PID: 3768)

    • Actions looks like stealing of personal data

      • ES_a.exe (PID: 2364)

  • SUSPICIOUS

    • Creates files in the program directory

      • wKPoj5TIuO.exe (PID: 644)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 1548)
      • wKPoj5TIuO.exe (PID: 644)
      • cmualrc.exe (PID: 3768)

    • Creates files in the user directory

      • WScript.exe (PID: 1548)

    • Uses REG.EXE to modify Windows registry

      • cmualrc.exe (PID: 3768)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 1548)

    • Connects to server without host name

      • ES_a.exe (PID: 2364)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start wscript.exe wkpoj5tiuo.exe #AMADEY cmualrc.exe reg.exe es_a.exe

Process information

PID
CMD
Path
Indicators
Parent process
1548"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\POkT0kGQnV.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
644"C:\Users\admin\Desktop\wKPoj5TIuO.exe" C:\Users\admin\Desktop\wKPoj5TIuO.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3768c:\programdata\f64a428dfd\cmualrc.exec:\programdata\f64a428dfd\cmualrc.exe
wKPoj5TIuO.exe
User:
admin
Integrity Level:
MEDIUM
1492REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\f64a428dfdC:\Windows\system32\REG.exe
cmualrc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2364C:\Users\admin\AppData\Local\Temp\ES_a.exeC:\Users\admin\AppData\Local\Temp\ES_a.exe
cmualrc.exe
User:
admin
Integrity Level:
MEDIUM
Total events
553
Read events
480
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
0
Text files
212
Unknown types
1

Dropped files

PID
Process
Filename
Type
1548WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@file[1].txt
MD5:
SHA256:
644wKPoj5TIuO.exeC:\ProgramData\0
MD5:
SHA256:
644wKPoj5TIuO.exeC:\programdata\f64a428dfd\cmualrc.exe:Zone.Identifier
MD5:
SHA256:
3768cmualrc.exeC:\ProgramData\0
MD5:
SHA256:
2364ES_a.exeC:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
MD5:
SHA256:
2364ES_a.exeC:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
MD5:
SHA256:
2364ES_a.exeC:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
MD5:
SHA256:
2364ES_a.exeC:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
MD5:
SHA256:
2364ES_a.exeC:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
MD5:
SHA256:
2364ES_a.exeC:\Users\admin\AppData\Local\Temp\RA033.tmp\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2364
ES_a.exe
POST
200
163.172.84.54:80
http://163.172.84.54/filename.php
FR
malicious
POST
200
163.172.84.54:80
http://163.172.84.54/filename.php
FR
malicious
3768
cmualrc.exe
POST
200
37.34.176.37:80
http://gohaiendo.com/ppk/index.php
KW
malicious
POST
200
163.172.84.54:80
http://163.172.84.54/filename.php
FR
malicious
POST
200
163.172.84.54:80
http://163.172.84.54/filename.php
FR
malicious
3768
cmualrc.exe
POST
200
37.34.176.37:80
http://gohaiendo.com/ppk/index.php
KW
text
40 b
malicious
POST
200
163.172.84.54:80
http://163.172.84.54/filename.php
FR
malicious
3768
cmualrc.exe
GET
200
212.108.64.41:80
http://afpl.ie/ES_a.exe
GB
executable
404 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3768
cmualrc.exe
212.108.64.41:80
afpl.ie
The Internet Business Ltd
GB
suspicious
2364
ES_a.exe
163.172.84.54:80
Online S.a.s.
FR
malicious
1548
WScript.exe
209.43.40.101:443
file.ac
IQuest Internet
US
suspicious
163.172.84.54:80
Online S.a.s.
FR
malicious
3768
cmualrc.exe
37.34.176.37:80
gohaiendo.com
Mobile Telecommunications Company
KW
malicious

DNS requests

Domain
IP
Reputation
file.ac
  • 209.43.40.101
whitelisted
gohaiendo.com
  • 37.34.176.37
  • 196.20.111.10
  • 155.133.93.30
  • 151.251.23.210
  • 181.39.233.180
  • 89.17.225.163
  • 87.126.16.141
  • 78.40.139.73
  • 197.255.246.6
  • 188.254.179.205
malicious
afpl.ie
  • 212.108.64.41
suspicious

Threats

PID
Process
Class
Message
3768
cmualrc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3768
cmualrc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Amadey
3768
cmualrc.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2364
ES_a.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.PWS.Siggen2.Stealer
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\Desktop\POkT0kGQnV.vbs