popup

Report - mam.exe

PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.24 20:42 Machine s1_win7_x6401
Filename mam.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
 Behavior Score
3.4
ZERO API file : clean
VT API (file) 52 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Noon, Unsafe, Save, Kryptik, ZexaF, FuW@aax389ii, Eldorado, Attribute, HighConfidence, HLJA, R002C0PFH21, Emotet, Static AI, Malicious PE, susgen, xbvuv, ASMalwS, Glupteba, score, ai score=89, CLASSIC, BQS2VC1mgIA, PossibleThreat, GdSda, confidence)
md5 17b10bd28b01f810e415e8fb5ca5bf76
sha256 fee2a0956fd7d2b95cfcd3f46abaf29fb86c8b83d0ee9c756a023a994919072d
ssdeep 12288:wMHki40mzGDuTRb3z1bJbyqqiAYz98rNL4c7W6v:J14NUCX1NbrqyJ8pL4u
imphash fbf9d3c26150891eb4e7ba18697f956a
impfuzzy 48:s3pGkGleeu1kt2cNASvF//KA6UynB/gCKX09+SYJGzFsX:sZGkGkeGkt2clGVjk
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 52 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks if process is being debugged by a debugger

Rules (3cnts)

Level Name Description Collection
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.mvdbr.com/ffmi/?J2JDYR=amofOv4yX1iotyGi+sQOv/16D2mHPYDgYXuSvLbk2GCDXsp8bztb1FMcheYsggIMDO8fbI6w&BXEDF=Z0GD1V0hqLv
whois
AU TPG Telecom Limited 60.241.27.76 clean
http://www.thesmileresidents.com/ffmi/?J2JDYR=pvyoAQMrZq8IIYqdiVFauXKb9dFvuJjEqbdG+MFyx4nLeFJbOcZVzLyC2PgLrkQOmQcX4svy&BXEDF=Z0GD1V0hqLv
whois
US CERNET-ASN-BLOCK 206.17.147.207 clean
http://www.jetfuels.info/ffmi/?J2JDYR=nAye7+VKj4umTRLWZtYhZdlE5jWuhy6CeliaDW7ZnB9bA+AC3hjx/7NKkFVqlVYemT9YIS3X&BXEDF=Z0GD1V0hqLv
whois
US GOOGLE 34.102.136.180 clean
www.mvdbr.com
whois
AU TPG Telecom Limited 60.241.27.76 clean
www.jetfuels.info
whois
US GOOGLE 34.102.136.180 clean
www.thesmileresidents.com
whois
US CERNET-ASN-BLOCK 206.17.147.207 clean
www.nationalcoinshortage.com
whois
Unknown clean
206.17.147.207
whois
US CERNET-ASN-BLOCK 206.17.147.207 clean
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
60.241.27.76
whois
AU TPG Telecom Limited 60.241.27.76 clean

Suricata ids

ET MALWARE FormBook CnC Checkin (GET)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40a000 GetModuleHandleW
 0x40a004 CloseHandle
 0x40a008 WriteConsoleW
 0x40a00c SetFilePointerEx
 0x40a010 SetStdHandle
 0x40a014 GetConsoleMode
 0x40a018 GetConsoleCP
 0x40a01c FlushFileBuffers
 0x40a020 GetStringTypeW
 0x40a024 LCMapStringEx
 0x40a028 WideCharToMultiByte
 0x40a02c LoadLibraryW
 0x40a030 OutputDebugStringW
 0x40a034 HeapReAlloc
 0x40a038 EncodePointer
 0x40a03c DecodePointer
 0x40a040 GetCommandLineW
 0x40a044 RaiseException
 0x40a048 RtlUnwind
 0x40a04c IsDebuggerPresent
 0x40a050 IsProcessorFeaturePresent
 0x40a054 GetLastError
 0x40a058 InterlockedDecrement
 0x40a05c ExitProcess
 0x40a060 GetModuleHandleExW
 0x40a064 GetProcAddress
 0x40a068 MultiByteToWideChar
 0x40a06c HeapSize
 0x40a070 Sleep
 0x40a074 GetStdHandle
 0x40a078 WriteFile
 0x40a07c GetModuleFileNameW
 0x40a080 HeapFree
 0x40a084 HeapAlloc
 0x40a088 SetLastError
 0x40a08c InterlockedIncrement
 0x40a090 GetCurrentThreadId
 0x40a094 GetProcessHeap
 0x40a098 GetFileType
 0x40a09c InitializeCriticalSectionAndSpinCount
 0x40a0a0 DeleteCriticalSection
 0x40a0a4 InitOnceExecuteOnce
 0x40a0a8 GetStartupInfoW
 0x40a0ac QueryPerformanceCounter
 0x40a0b0 GetSystemTimeAsFileTime
 0x40a0b4 GetTickCount64
 0x40a0b8 GetEnvironmentStringsW
 0x40a0bc FreeEnvironmentStringsW
 0x40a0c0 UnhandledExceptionFilter
 0x40a0c4 SetUnhandledExceptionFilter
 0x40a0c8 FlsAlloc
 0x40a0cc FlsGetValue
 0x40a0d0 FlsSetValue
 0x40a0d4 FlsFree
 0x40a0d8 GetCurrentProcess
 0x40a0dc TerminateProcess
 0x40a0e0 EnterCriticalSection
 0x40a0e4 LeaveCriticalSection
 0x40a0e8 LoadLibraryExW
 0x40a0ec IsValidCodePage
 0x40a0f0 GetACP
 0x40a0f4 GetOEMCP
 0x40a0f8 GetCPInfo
 0x40a0fc CreateFileW
USER32.dll
 0x40a104 EndDialog
 0x40a108 GetSystemMetrics
 0x40a10c DestroyWindow
 0x40a110 DefWindowProcW
 0x40a114 DialogBoxParamW
 0x40a118 PostQuitMessage
 0x40a11c MessageBoxW
 0x40a120 UpdateWindow
 0x40a124 ShowWindow
 0x40a128 CreateWindowExW
 0x40a12c RegisterClassExW
 0x40a130 LoadCursorW
 0x40a134 LoadIconW
 0x40a138 DispatchMessageW
 0x40a13c TranslateMessage
 0x40a140 TranslateAcceleratorW
 0x40a144 GetMessageW
 0x40a148 LoadAcceleratorsW
 0x40a14c LoadStringW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure