File name: | SearchKey.rar |
Full analysis: | https://app.any.run/tasks/4cdd3966-a385-41f0-aa7e-5278c4806624 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | October 25, 2021, 00:05:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | B7AEAE0BBF761B45711EA3A0D71E2B7B |
SHA1: | 716A88F53AED18E2F476CAC1E4367D7D54C37A72 |
SHA256: | E66F04CDA8667F223CFDC809CF5C253A199A97150DB344CE1F6B827D4E1C624D |
SSDEEP: | 24576:ymKIa5wgJt2aIIRN7NT5RlsMP1RBPk6u+6C2cOFOuA9pXHkWDOR76SQ3C:ahJtBIiT5sM/r68KODnXHPOB6SSC |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3036 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SearchKey.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
276 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3036.038\SearchKey\SearchKey.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3036.038\SearchKey\SearchKey.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3960 | "C:\Users\admin\AppData\Local\Temp\vms.exe" | C:\Users\admin\AppData\Local\Temp\vms.exe | SearchKey.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1168 | "C:\Users\admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe" | C:\Users\admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe | vms.exe | |
User: admin Integrity Level: MEDIUM | ||||
3468 | "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\admin\AppData\Local\Temp\5c436eadc6\ | C:\Windows\System32\cmd.exe | — | rnyuf.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3692 | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe" /F | C:\Windows\System32\schtasks.exe | — | rnyuf.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2696 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\admin\AppData\Local\Temp\5c436eadc6\ | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3960 | vms.exe | C:\Users\admin\AppData\Local\Temp\15211302019708150072 | — | |
MD5:— | SHA256:— | |||
1168 | rnyuf.exe | C:\Users\admin\AppData\Local\Temp\152113020197 | image | |
MD5:A25852D1A012459327BBCCBECE311B29 | SHA256:8A8DECBA5B724B0EA4D230D734BF3B88838380977B6BD88D67BC2E95AD811E9B | |||
276 | SearchKey.exe | C:\Users\admin\AppData\Local\Temp\vms.exe | executable | |
MD5:42BA46496EF72FC3BD4E5DA798A57889 | SHA256:9F9140922DD951C9F2B19550B37F9B2A9E9F0E91EAE944D450985477D5215097 | |||
3960 | vms.exe | C:\Users\admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe | executable | |
MD5:42BA46496EF72FC3BD4E5DA798A57889 | SHA256:9F9140922DD951C9F2B19550B37F9B2A9E9F0E91EAE944D450985477D5215097 | |||
276 | SearchKey.exe | C:\Users\admin\AppData\Local\Temp\WMlADAP.exe | executable | |
MD5:28825DB687A3ED4212BFE23622596C11 | SHA256:B9CFB2ADA212CFAAE78C274F3BD9CB82409E6B230D503024319E81E5E79FE251 | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3036.038\SearchKey\SearchKey.exe | executable | |
MD5:B8731F924034BDD7098547944BD6ECC4 | SHA256:D9D58D04E684BDE2237B785D78EB9B7B8F1581DDDCB796D31C523B63A0F5CB94 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1168 | rnyuf.exe | POST | 200 | 178.208.83.45:80 | http://depressionk1d.ug/k8FppT/index.php?scr=1 | RU | — | — | malicious |
1168 | rnyuf.exe | POST | 200 | 178.208.83.45:80 | http://depressionk1d.ug/k8FppT/index.php | RU | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
276 | SearchKey.exe | 162.159.134.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
1168 | rnyuf.exe | 178.208.83.45:80 | depressionk1d.ug | Webzilla B.V. | RU | malicious |
276 | SearchKey.exe | 185.244.217.139:59111 | — | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
cdn.discordapp.com |
| shared |
depressionk1d.ug |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1168 | rnyuf.exe | A Network Trojan was detected | ET TROJAN Amadey CnC Check-In |
1168 | rnyuf.exe | A Network Trojan was detected | AV TROJAN Agent.DHOA System Info Exfiltration |