Report - scr.dll

Amadey DLL PE File PE32 JPEG Format
ScreenShot
Created 2021.05.06 13:48 Machine s1_win7_x6401
Filename scr.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
7
Behavior Score
2.8
ZERO API file : malware
VT API (file) 36 detected (malicious, high confidence, Doina, GenericRXAA, Unsafe, Amadey, Delf, TrojanX, Zusy, Bobik, Plodor, iaklyz, RDMK, cmRtazp1fSs81M45Sd7wkK4Qo7uw, SMYAAA, AGEN, EmotetCrypt, score, ai score=86, TScope, PasswordStealer, Gencirc, susgen, GdSda)
md5 a48dc2da2655fd049e37e36fcda28fba
sha256 76f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
ssdeep 6144:SJ+WK/pvT7arfwKFzDTsv5oaTh45CjBscX9TlHN:JJpb7Y7vf5i5X9TFN
imphash ff5a8f4780f2dc45750b55ab89f4b357
impfuzzy 96:8cfpHYo3O5c/434Rqp9UtqXqy5yqcPfDwPOQ/p:P3OAEd8qcPcPOQ/p
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 36 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice One or more potentially interesting buffers were extracted
info Checks if process is being debugged by a debugger
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (5cnts)

Level Name Description Collection
danger Win_Amadey_Zero Amadey bot binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://176.111.174.114//Hnq8vS/index.php?scr=up Unknown 176.111.174.114 clean
176.111.174.114 Unknown 176.111.174.114 malware

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x435104 DeleteCriticalSection
 0x435108 LeaveCriticalSection
 0x43510c EnterCriticalSection
 0x435110 InitializeCriticalSection
 0x435114 VirtualFree
 0x435118 VirtualAlloc
 0x43511c LocalFree
 0x435120 LocalAlloc
 0x435124 GetVersion
 0x435128 GetCurrentThreadId
 0x43512c InterlockedDecrement
 0x435130 InterlockedIncrement
 0x435134 VirtualQuery
 0x435138 WideCharToMultiByte
 0x43513c MultiByteToWideChar
 0x435140 lstrlenA
 0x435144 lstrcpynA
 0x435148 LoadLibraryExA
 0x43514c GetThreadLocale
 0x435150 GetStartupInfoA
 0x435154 GetProcAddress
 0x435158 GetModuleHandleA
 0x43515c GetModuleFileNameA
 0x435160 GetLocaleInfoA
 0x435164 GetLastError
 0x435168 GetCommandLineA
 0x43516c FreeLibrary
 0x435170 FindFirstFileA
 0x435174 FindClose
 0x435178 ExitProcess
 0x43517c WriteFile
 0x435180 UnhandledExceptionFilter
 0x435184 SetFilePointer
 0x435188 SetEndOfFile
 0x43518c RtlUnwind
 0x435190 ReadFile
 0x435194 RaiseException
 0x435198 GetStdHandle
 0x43519c GetFileSize
 0x4351a0 GetFileType
 0x4351a4 CreateFileA
 0x4351a8 CloseHandle
user32.dll
 0x4351b0 GetKeyboardType
 0x4351b4 LoadStringA
 0x4351b8 MessageBoxA
 0x4351bc CharNextA
advapi32.dll
 0x4351c4 RegQueryValueExA
 0x4351c8 RegOpenKeyExA
 0x4351cc RegCloseKey
oleaut32.dll
 0x4351d4 SysFreeString
 0x4351d8 SysReAllocStringLen
 0x4351dc SysAllocStringLen
kernel32.dll
 0x4351e4 TlsSetValue
 0x4351e8 TlsGetValue
 0x4351ec TlsFree
 0x4351f0 TlsAlloc
 0x4351f4 LocalFree
 0x4351f8 LocalAlloc
advapi32.dll
 0x435200 OpenThreadToken
 0x435204 OpenProcessToken
 0x435208 IsValidSid
 0x43520c GetTokenInformation
 0x435210 GetSidSubAuthorityCount
 0x435214 GetSidSubAuthority
 0x435218 GetSidIdentifierAuthority
kernel32.dll
 0x435220 WriteFile
 0x435224 WaitForSingleObject
 0x435228 VirtualQuery
 0x43522c Sleep
 0x435230 SetLastError
 0x435234 SetFilePointer
 0x435238 SetEvent
 0x43523c SetEndOfFile
 0x435240 ResetEvent
 0x435244 ReadFile
 0x435248 MulDiv
 0x43524c LeaveCriticalSection
 0x435250 InitializeCriticalSection
 0x435254 HeapFree
 0x435258 HeapAlloc
 0x43525c GlobalUnlock
 0x435260 GlobalReAlloc
 0x435264 GlobalHandle
 0x435268 GlobalLock
 0x43526c GlobalFree
 0x435270 GlobalAlloc
 0x435274 GetVersionExA
 0x435278 GetTickCount
 0x43527c GetThreadLocale
 0x435280 GetTempPathA
 0x435284 GetSystemInfo
 0x435288 GetStringTypeExA
 0x43528c GetStdHandle
 0x435290 GetProcessHeap
 0x435294 GetProcAddress
 0x435298 GetModuleHandleA
 0x43529c GetModuleFileNameA
 0x4352a0 GetLocaleInfoA
 0x4352a4 GetLocalTime
 0x4352a8 GetLastError
 0x4352ac GetFullPathNameA
 0x4352b0 GetDiskFreeSpaceA
 0x4352b4 GetDateFormatA
 0x4352b8 GetCurrentThreadId
 0x4352bc GetCurrentThread
 0x4352c0 GetCurrentProcess
 0x4352c4 GetCPInfo
 0x4352c8 GetACP
 0x4352cc FormatMessageA
 0x4352d0 FindFirstFileA
 0x4352d4 FindClose
 0x4352d8 FileTimeToLocalFileTime
 0x4352dc FileTimeToDosDateTime
 0x4352e0 EnumCalendarInfoA
 0x4352e4 EnterCriticalSection
 0x4352e8 DeleteFileA
 0x4352ec DeleteCriticalSection
 0x4352f0 CreateMutexA
 0x4352f4 CreateFileA
 0x4352f8 CreateEventA
 0x4352fc CompareStringA
 0x435300 CloseHandle
gdi32.dll
 0x435308 UnrealizeObject
 0x43530c StretchBlt
 0x435310 SetWinMetaFileBits
 0x435314 SetTextColor
 0x435318 SetStretchBltMode
 0x43531c SetROP2
 0x435320 SetEnhMetaFileBits
 0x435324 SetDIBColorTable
 0x435328 SetBrushOrgEx
 0x43532c SetBkMode
 0x435330 SetBkColor
 0x435334 SelectPalette
 0x435338 SelectObject
 0x43533c RealizePalette
 0x435340 PlayEnhMetaFile
 0x435344 PatBlt
 0x435348 MoveToEx
 0x43534c MaskBlt
 0x435350 GetWinMetaFileBits
 0x435354 GetTextMetricsA
 0x435358 GetSystemPaletteEntries
 0x43535c GetStockObject
 0x435360 GetPixel
 0x435364 GetPaletteEntries
 0x435368 GetObjectA
 0x43536c GetEnhMetaFilePaletteEntries
 0x435370 GetEnhMetaFileHeader
 0x435374 GetEnhMetaFileBits
 0x435378 GetDeviceCaps
 0x43537c GetDIBits
 0x435380 GetDIBColorTable
 0x435384 GetCurrentPositionEx
 0x435388 GetBrushOrgEx
 0x43538c GetBitmapBits
 0x435390 GdiFlush
 0x435394 DeleteObject
 0x435398 DeleteEnhMetaFile
 0x43539c DeleteDC
 0x4353a0 CreatePenIndirect
 0x4353a4 CreatePalette
 0x4353a8 CreateHalftonePalette
 0x4353ac CreateFontIndirectA
 0x4353b0 CreateDIBitmap
 0x4353b4 CreateDIBSection
 0x4353b8 CreateCompatibleDC
 0x4353bc CreateCompatibleBitmap
 0x4353c0 CreateBrushIndirect
 0x4353c4 CreateBitmap
 0x4353c8 CopyEnhMetaFileA
 0x4353cc BitBlt
user32.dll
 0x4353d4 ReleaseDC
 0x4353d8 MessageBoxA
 0x4353dc LoadStringA
 0x4353e0 LoadIconA
 0x4353e4 GetSystemMetrics
 0x4353e8 GetSysColor
 0x4353ec GetIconInfo
 0x4353f0 GetDC
 0x4353f4 GetClipboardData
 0x4353f8 FillRect
 0x4353fc DrawIconEx
 0x435400 DestroyIcon
 0x435404 CreateIcon
 0x435408 CharNextA
 0x43540c CharLowerBuffA
 0x435410 CharUpperBuffA
 0x435414 CharToOemA
kernel32.dll
 0x43541c Sleep
oleaut32.dll
 0x435424 SafeArrayPtrOfIndex
 0x435428 SafeArrayGetUBound
 0x43542c SafeArrayGetLBound
 0x435430 SafeArrayCreate
 0x435434 VariantChangeType
 0x435438 VariantCopy
 0x43543c VariantClear
 0x435440 VariantInit
wsock32.dll
 0x435448 WSACleanup
 0x43544c WSAStartup
 0x435450 gethostbyname
 0x435454 socket
 0x435458 send
 0x43545c recv
 0x435460 inet_ntoa
 0x435464 inet_addr
 0x435468 htons
 0x43546c connect
 0x435470 closesocket

EAT(Export Address Table) Library

0x431660 Main


Similarity measure (PE file only) - Checking for service failure