Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 27, 2025, 4:46 p.m.	Jan. 27, 2025, 5:06 p.m.

Size	49.2KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`4bd4a99a7cf9e77972857a935d2cddcb`
SHA256	`5b884a196cf85de56828d912eeeb9c417b2a074132c1f384150d6ffcfe1dab8d`
CRC32	`3F00BCAE`
ssdeep	`768:AN4a7os+Bd1biSJfBFdiGOsSyS5/hhurlzdx:3a2xb5+YSyE/hgpzH`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

amada2.exe "C:\Users\test22\AppData\Local\Temp\amada2.exe"
1648
- gdsun.exe c:\programdata\1be588a5b7\gdsun.exe
  2088
  - reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7
    2160

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 27, 2025, 4:46 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Jan. 27, 2025, 4:46 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 27, 2025, 4:46 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1	0

The executable uses a known packer (1 event)

packer

MinGW GCC 3.x

Creates executable files on the filesystem (1 event)

file	c:\programdata\1be588a5b7\gdsun.exe

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Zbot.tpJY
MicroWorld-eScan	Gen:Variant.Doina.11475
CAT-QuickHeal	Trojan.Ghanarava.17376334532cddcb
Skyhigh	BehavesLike.Win32.Generic.pt
ALYac	Gen:Variant.Doina.11475
Cylance	Unsafe
VIPRE	Gen:Variant.Doina.11475
Sangfor	Downloader.Win32.Agent.Af7c
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Doina.11475
K7GW	Trojan-Downloader ( 0053fea91 )
K7AntiVirus	Trojan-Downloader ( 0053fea91 )
Arcabit	Trojan.Doina.D2CD3
VirIT	Trojan.Win32.SpyBot.BDQ
Symantec	Trojan.Amadey
Elastic	Windows.Generic.Threat
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.EGF
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Spy.Win32.Zbot.zkig
Alibaba	TrojanSpy:Win32/Generic.4374b16c
NANO-Antivirus	Trojan.Win32.Zbot.fkkbuf
Rising	Stealer.Amadey!1.BC27 (CLASSIC)
Emsisoft	Trojan-Downloader.Agent (A)
F-Secure	Heuristic.HEUR/AGEN.1316138
DrWeb	Trojan.SpyBot.770
Zillya	Downloader.Agent.Win32.372093
McAfeeD	ti!5B884A196CF8
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.4bd4a99a7cf9e779
Jiangmin	TrojanSpy.Zbot.fnnn
Webroot	W32.Adware.Gen
Google	Detected
Avira	HEUR/AGEN.1316138
Antiy-AVL	Trojan[Downloader]/Win32.Deyma
Kingsoft	malware.kb.a.999
Gridinsoft	Ransom.Win32.Zbot.oa!s1
Microsoft	TrojanDownloader:Win32/Zlob.ZXP!bit
ViRobot	Trojan.Win32.Agent.50416
GData	Gen:Variant.Doina.11475
Varist	W32/Hancitor.A.gen!Eldorado
AhnLab-V3	Backdoor/Win32.RL_IRCBot.R276868
McAfee	GenericRXAA-AA!4BD4A99A7CF9
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.SpyBot
Malwarebytes	Generic.Malware.AI.DDS

amada2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All