File name: | file |
Full analysis: | https://app.any.run/tasks/2e303c2f-5bb5-4cf2-a8fd-90904e1a0ea1 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | December 06, 2022, 05:43:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 6B9DF39FF3BC394A9AA4CA61ED44C281 |
SHA1: | 0493642D0E978C91463716A6E2A0AC2EFE4F4BEF |
SHA256: | F05C005E82478B0723820D5B21D23DD97A47513758323A7E1DF581A5F0112C16 |
SSDEEP: | 6144:G9X5jyr2LSFHl90ezQ5louvgclYgHq50TScoCF:G9XVyyeFHl901TnHq52FxF |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2021-Sep-11 22:03:41 |
Detected languages: |
|
Debug artifacts: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 240 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2021-Sep-11 22:03:41 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 98082 | 98304 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.69384 |
.data | 102400 | 228516 | 216576 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.57369 |
.zafuyam | 331776 | 3000 | 3072 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0 |
.rsrc | 335872 | 40488 | 40960 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.93394 |
.reloc | 376832 | 7680 | 7680 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.93018 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.55425 | 1736 | UNKNOWN | Slovak - Slovakia | RT_ICON |
2 | 5.55711 | 9640 | UNKNOWN | Slovak - Slovakia | RT_ICON |
3 | 5.80356 | 1128 | UNKNOWN | Slovak - Slovakia | RT_ICON |
4 | 5.48131 | 3752 | UNKNOWN | Slovak - Slovakia | RT_ICON |
5 | 5.34639 | 2216 | UNKNOWN | Slovak - Slovakia | RT_ICON |
6 | 5.68751 | 1384 | UNKNOWN | Slovak - Slovakia | RT_ICON |
7 | 5.59774 | 9640 | UNKNOWN | Slovak - Slovakia | RT_ICON |
8 | 5.72985 | 4264 | UNKNOWN | Slovak - Slovakia | RT_ICON |
9 | 5.77813 | 2440 | UNKNOWN | Slovak - Slovakia | RT_ICON |
10 | 5.30353 | 1128 | UNKNOWN | Slovak - Slovakia | RT_ICON |
KERNEL32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2460 | "C:\Users\admin\AppData\Local\Temp\file.exe" | C:\Users\admin\AppData\Local\Temp\file.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3728 | "C:\Users\admin\AppData\Local\Temp\99e342142d\gntuud.exe" | C:\Users\admin\AppData\Local\Temp\99e342142d\gntuud.exe | file.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
2308 | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F | C:\Windows\System32\schtasks.exe | — | gntuud.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3116 | "C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Roaming\a091ec0a6e2227\cred.dll, Main | C:\Windows\System32\rundll32.exe | gntuud.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1432 | C:\Users\admin\AppData\Local\Temp\99e342142d\gntuud.exe | C:\Users\admin\AppData\Local\Temp\99e342142d\gntuud.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3900 | C:\Users\admin\AppData\Local\Temp\99e342142d\gntuud.exe | C:\Users\admin\AppData\Local\Temp\99e342142d\gntuud.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
|
(PID) Process: | (2460) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2460) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2460) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2460) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3728) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
Operation: | write | Name: | Startup |
Value: C:\Users\admin\AppData\Local\Temp\99e342142d\ | |||
(PID) Process: | (3728) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3728) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3728) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3728) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3728) gntuud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3728 | gntuud.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\cred[1].dll | executable | |
MD5:98CC0F811AD5FF43FEDC262961002498 | SHA256:62D5B300B911A022C5C146EA010769CD0C2FDCC86ABA7E5BE25AFF1F799220BE | |||
2460 | file.exe | C:\Users\admin\AppData\Local\Temp\99e342142d\gntuud.exe | executable | |
MD5:6B9DF39FF3BC394A9AA4CA61ED44C281 | SHA256:F05C005E82478B0723820D5B21D23DD97A47513758323A7E1DF581A5F0112C16 | |||
3728 | gntuud.exe | C:\Users\admin\AppData\Local\Temp\302019708150 | image | |
MD5:5E5F4F8756A4AF129B5692DAFF177A78 | SHA256:94C89A48C86495CAE02825ABCD682901762E6BA989DCD04E4B610BB430472AE9 | |||
3728 | gntuud.exe | C:\Users\admin\AppData\Roaming\a091ec0a6e2227\cred.dll | executable | |
MD5:98CC0F811AD5FF43FEDC262961002498 | SHA256:62D5B300B911A022C5C146EA010769CD0C2FDCC86ABA7E5BE25AFF1F799220BE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3728 | gntuud.exe | POST | 200 | 62.204.41.6:80 | http://62.204.41.6/p9cWxH/index.php?scr=1 | GB | — | — | malicious |
3728 | gntuud.exe | POST | 200 | 62.204.41.6:80 | http://62.204.41.6/p9cWxH/index.php | GB | text | 6 b | malicious |
3728 | gntuud.exe | GET | 200 | 62.204.41.6:80 | http://62.204.41.6/p9cWxH/Plugins/cred.dll | GB | executable | 126 Kb | malicious |
3116 | rundll32.exe | POST | 200 | 62.204.41.6:80 | http://62.204.41.6/p9cWxH/index.php | GB | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3728 | gntuud.exe | 62.204.41.6:80 | — | Horizon LLC | RU | malicious |
3116 | rundll32.exe | 62.204.41.6:80 | — | Horizon LLC | RU | malicious |
PID | Process | Class | Message |
---|---|---|---|
3728 | gntuud.exe | A Network Trojan was detected | ET TROJAN Amadey CnC Check-In |
3728 | gntuud.exe | A Network Trojan was detected | AV TROJAN Agent.DHOA System Info Exfiltration |
3728 | gntuud.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3728 | gntuud.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .dll file with no User-Agent |
3728 | gntuud.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3728 | gntuud.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3116 | rundll32.exe | A Network Trojan was detected | AV TROJAN Trojan/Win32.Agent InfoStealer CnC Checkin |