popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

amaa.exe

Malicious Library UPX Malicious Packer PNG Format PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 28, 2024, 7:46 a.m. March 28, 2024, 7:55 a.m.
Size 6.2MB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 7077ab5685f753d94192aca8e3158fb5
SHA256 751ad0b26586c0dbb06379c8bbb1b7a47e77adc19c3f068d6305f47faec551b2
CRC32 577F5356
ssdeep 98304:Xrxkmr7CWoqbb4ngAFGw7WClREnjwaeSkMc88QS+qE0AaG8MlftjxeUZH:XKyzoLgkW4RmKMcJWqE0AaGxftjx/Z
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
creationofprogress.com
A 194.116.214.7
194.116.214.7
IP Address Status Action
164.124.101.2 Active Moloch
194.116.214.7 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .trace
section .gfids
section _RDATA
section .debug_o
resource name AQ
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://creationofprogress.com/8BvxwQdec3/index.php
request POST http://creationofprogress.com/8BvxwQdec3/index.php
request POST http://creationofprogress.com/8BvxwQdec3/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00405000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74161000
process_handle: 0xffffffff
1 0 0
cmdline C:\Windows\SysWOW64\cmd.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2076
thread_handle: 0x0000012c
process_identifier: 2072
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\cmd.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000130
1 1 0
section {u'size_of_data': u'0x00125c00', u'virtual_address': u'0x0013e000', u'entropy': 7.9715736564254485, u'name': u'.rsrc', u'virtual_size': u'0x00125acd'} entropy 7.97157365643 description A section with a high entropy has been found
entropy 0.519566659297 description Overall entropy of this PE file is high
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Time & API Arguments Status Return Repeated

InternetConnectA

 username:
service: 3
hostname: creationofprogress.com
internet_handle: 0x00cc0004
flags: 0
password:
port: 80
1 13369352 0

HttpOpenRequestA

 connect_handle: 0x00cc0008
http_version:
flags: 0
http_method: POST
referer:
path: /8BvxwQdec3/index.php
1 13369356 0

InternetConnectA

 username:
service: 3
hostname: creationofprogress.com
internet_handle: 0x00cc0004
flags: 0
password:
port: 80
1 13369352 0

HttpOpenRequestA

 connect_handle: 0x00cc0008
http_version:
flags: 0
http_method: POST
referer:
path: /8BvxwQdec3/index.php
1 13369356 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Penguish.4!c
Elastic malicious (high confidence)
Cynet Malicious (score: 99)
Cylance unsafe
VIPRE Trojan.Generic.35405691
K7AntiVirus Trojan ( 005b2dc71 )
BitDefender Trojan.Generic.35405691
K7GW Trojan ( 005b2dc71 )
Arcabit Trojan.Generic.D21C3F7B
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.GURY
Avast Win32:Malware-gen
Kaspersky UDS:DangerousObject.Multi.Generic
Alibaba Trojan:Win32/Penguish.a0fd6f42
MicroWorld-eScan Trojan.Generic.35405691
Rising Trojan.Generic@AI.95 (RDML:xy8CjcmF3KH6vP6OApMYbw)
Emsisoft Trojan.Generic.35405691 (B)
F-Secure Trojan.TR/AVI.Agent.lwztf
TrendMicro TrojanSpy.Win32.LUMMASTEALER.YXECZZ
FireEye Trojan.Generic.35405691
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Krypt
Google Detected
Avira TR/AVI.Agent.lwztf
MAX malware (ai score=80)
Kingsoft Win32.Troj.Unknown.a
Gridinsoft Ransom.Win32.Sabsik.ca
Microsoft Trojan:Win32/Casdet!rfn
ZoneAlarm HEUR:Trojan.Win32.Penguish.gen
GData Trojan.Generic.35405691
Varist W32/ABRisk.NPZW-8390
AhnLab-V3 Trojan/Win.Sabsik.C5603533
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware/Suspicious
Panda Trj/RnkBend.A
TrendMicro-HouseCall TrojanSpy.Win32.LUMMASTEALER.YXECZZ
Tencent Malware.Win32.Gencirc.1406b061
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/GenKryptik.GURY!tr
AVG Win32:Malware-gen
CrowdStrike win/malicious_confidence_60% (W)
alibabacloud Trojan:Win/Penguish.gen