Windows Analysis Report
2852oQ7OHx.exe

Overview

General Information

Sample name:	2852oQ7OHx.exe (renamed file extension from mem to exe, renamed because original name is a hash value)
Original sample name:	2a09719305ad5054f1294b1355f707a945950c5013538c439bd2ae5e5d2ac2f8.mem
Analysis ID:	1545115
MD5:	19c5de2ee75b5e364378b511ea5b960b
SHA1:	6f1c29332f82a6e5dded8f50fd666a53a87ff6c5
SHA256:	2a09719305ad5054f1294b1355f707a945950c5013538c439bd2ae5e5d2ac2f8
Infos:

Detection

Amadey

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadey

Contains functionality to start a terminal service

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Signatures

AV Detection

Machine Learning detection for sample

Source: 2852oQ7OHx.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 185.215.113.217
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /CoreOPT/index.php
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: S-%lu-
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: f9c76c1660
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: corept.exe
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Startup
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: rundll32
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Programs
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: cred.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: clip.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: http://
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: https://
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /quiet
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /Plugins/
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: &unit=
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: kernel32.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ProgramData\
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: AVAST Software
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Kaspersky Lab
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Panda Security
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Doctor Web
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 360TotalSecurity
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Bitdefender
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Norton
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Sophos
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Comodo
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: WinDefender
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 0123456789
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ------
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ?scr=1
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ComputerName
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: -unicode-
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: VideoID
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ProductName
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: CurrentBuild
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: rundll32.exe
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: "taskkill /f /im "
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: " && timeout 1 && del
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: && Exit"
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: " && ren
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Powershell.exe
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: shutdown -s -t 0
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: random
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Keyboard Layout\Preload
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000419
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000422
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000423
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 0000043f
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: rundll32
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: cred.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: https://
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: clip.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: && Exit"
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Startup
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: -unicode-
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Norton
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ?scr=1
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ------
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Sophos
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: random
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000422
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: " && ren
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /Plugins/
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000423
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /quiet
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: &unit=
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 0000043f
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: VideoID
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Comodo
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: S-%lu-
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Programs
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000419
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: http://

Detected potential crypto function

Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00406050	0_2_00406050
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0043065B	0_2_0043065B
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0042C720	0_2_0042C720
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_004428D7	0_2_004428D7
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00446CD4	0_2_00446CD4
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00446DF4	0_2_00446DF4
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00406DF0	0_2_00406DF0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00445047	0_2_00445047
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0043D6DA	0_2_0043D6DA
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00405AF0	0_2_00405AF0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00433BA0	0_2_00433BA0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00405DA0	0_2_00405DA0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0043DE69	0_2_0043DE69

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 0042B7D0 appears 56 times
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 004242A0 appears 101 times
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 0042AF81 appears 77 times
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 00406DF0 appears 57 times
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 004251B0 appears 136 times

Source: classification engine

Classification label: mal60.troj.spyw.winEXE@1/0@0/0

Source: 2852oQ7OHx.exe	String found in binary or memory: " /add /y
Source: 2852oQ7OHx.exe	String found in binary or memory: " /add
Source: 2852oQ7OHx.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2852oQ7OHx.exe

Code function: 0_2_0042B221 push ecx; ret

0_2_0042B234

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\2852oQ7OHx.exe

Code function: 0_2_0042E950 LdrInitializeThunk,

0_2_0042E950

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0042EDC0 mov eax, dword ptr fs:[00000030h]		0_2_0042EDC0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00436FB2 mov eax, dword ptr fs:[00000030h]		0_2_00436FB2

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\2852oQ7OHx.exe

Code function: 0_2_0042B5EF cpuid

0_2_0042B5EF

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Contains functionality to start a terminal service

Source: 2852oQ7OHx.exe, 00000000.00000000.2036258800.0000000000451000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: 2852oQ7OHx.exe, 00000000.00000000.2036258800.0000000000451000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 2852oQ7OHx.exe	String found in binary or memory: net start termservice
Source: 2852oQ7OHx.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1545115
Product:	CloudBasic
Start time:	06:29:13
Start date:	30.10.2024
Sample:	2852oQ7OHx.mem
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	19c5de2ee75b5e364378b511ea5b960b
SHA1:	6f1c29332f82a6e5dded8f50fd666a53a87ff6c5
SHA256:	2a09719305ad5054f1294b1355f707a945950c5013538c439bd2ae5e5d2ac2f8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
2852oQ7OHx.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 2852oQ7OHx.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
2852oQ7OHx.exe

Malware Threat Intel
Provided by