ScreenShot
Created | 2021.06.24 20:42 | Machine | s1_win7_x6401 |
Filename | mam.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 52 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Noon, Unsafe, Save, Kryptik, ZexaF, FuW@aax389ii, Eldorado, Attribute, HighConfidence, HLJA, R002C0PFH21, Emotet, Static AI, Malicious PE, susgen, xbvuv, ASMalwS, Glupteba, score, ai score=89, CLASSIC, BQS2VC1mgIA, PossibleThreat, GdSda, confidence) | ||
md5 | 17b10bd28b01f810e415e8fb5ca5bf76 | ||
sha256 | fee2a0956fd7d2b95cfcd3f46abaf29fb86c8b83d0ee9c756a023a994919072d | ||
ssdeep | 12288:wMHki40mzGDuTRb3z1bJbyqqiAYz98rNL4c7W6v:J14NUCX1NbrqyJ8pL4u | ||
imphash | fbf9d3c26150891eb4e7ba18697f956a | ||
impfuzzy | 48:s3pGkGleeu1kt2cNASvF//KA6UynB/gCKX09+SYJGzFsX:sZGkGkeGkt2clGVjk |
Network IP location
Signature (7cnts)
Level | Description |
---|---|
danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks if process is being debugged by a debugger |
Rules (3cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (10cnts) ?
Suricata ids
ET MALWARE FormBook CnC Checkin (GET)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40a000 GetModuleHandleW
0x40a004 CloseHandle
0x40a008 WriteConsoleW
0x40a00c SetFilePointerEx
0x40a010 SetStdHandle
0x40a014 GetConsoleMode
0x40a018 GetConsoleCP
0x40a01c FlushFileBuffers
0x40a020 GetStringTypeW
0x40a024 LCMapStringEx
0x40a028 WideCharToMultiByte
0x40a02c LoadLibraryW
0x40a030 OutputDebugStringW
0x40a034 HeapReAlloc
0x40a038 EncodePointer
0x40a03c DecodePointer
0x40a040 GetCommandLineW
0x40a044 RaiseException
0x40a048 RtlUnwind
0x40a04c IsDebuggerPresent
0x40a050 IsProcessorFeaturePresent
0x40a054 GetLastError
0x40a058 InterlockedDecrement
0x40a05c ExitProcess
0x40a060 GetModuleHandleExW
0x40a064 GetProcAddress
0x40a068 MultiByteToWideChar
0x40a06c HeapSize
0x40a070 Sleep
0x40a074 GetStdHandle
0x40a078 WriteFile
0x40a07c GetModuleFileNameW
0x40a080 HeapFree
0x40a084 HeapAlloc
0x40a088 SetLastError
0x40a08c InterlockedIncrement
0x40a090 GetCurrentThreadId
0x40a094 GetProcessHeap
0x40a098 GetFileType
0x40a09c InitializeCriticalSectionAndSpinCount
0x40a0a0 DeleteCriticalSection
0x40a0a4 InitOnceExecuteOnce
0x40a0a8 GetStartupInfoW
0x40a0ac QueryPerformanceCounter
0x40a0b0 GetSystemTimeAsFileTime
0x40a0b4 GetTickCount64
0x40a0b8 GetEnvironmentStringsW
0x40a0bc FreeEnvironmentStringsW
0x40a0c0 UnhandledExceptionFilter
0x40a0c4 SetUnhandledExceptionFilter
0x40a0c8 FlsAlloc
0x40a0cc FlsGetValue
0x40a0d0 FlsSetValue
0x40a0d4 FlsFree
0x40a0d8 GetCurrentProcess
0x40a0dc TerminateProcess
0x40a0e0 EnterCriticalSection
0x40a0e4 LeaveCriticalSection
0x40a0e8 LoadLibraryExW
0x40a0ec IsValidCodePage
0x40a0f0 GetACP
0x40a0f4 GetOEMCP
0x40a0f8 GetCPInfo
0x40a0fc CreateFileW
USER32.dll
0x40a104 EndDialog
0x40a108 GetSystemMetrics
0x40a10c DestroyWindow
0x40a110 DefWindowProcW
0x40a114 DialogBoxParamW
0x40a118 PostQuitMessage
0x40a11c MessageBoxW
0x40a120 UpdateWindow
0x40a124 ShowWindow
0x40a128 CreateWindowExW
0x40a12c RegisterClassExW
0x40a130 LoadCursorW
0x40a134 LoadIconW
0x40a138 DispatchMessageW
0x40a13c TranslateMessage
0x40a140 TranslateAcceleratorW
0x40a144 GetMessageW
0x40a148 LoadAcceleratorsW
0x40a14c LoadStringW
EAT(Export Address Table) is none
KERNEL32.dll
0x40a000 GetModuleHandleW
0x40a004 CloseHandle
0x40a008 WriteConsoleW
0x40a00c SetFilePointerEx
0x40a010 SetStdHandle
0x40a014 GetConsoleMode
0x40a018 GetConsoleCP
0x40a01c FlushFileBuffers
0x40a020 GetStringTypeW
0x40a024 LCMapStringEx
0x40a028 WideCharToMultiByte
0x40a02c LoadLibraryW
0x40a030 OutputDebugStringW
0x40a034 HeapReAlloc
0x40a038 EncodePointer
0x40a03c DecodePointer
0x40a040 GetCommandLineW
0x40a044 RaiseException
0x40a048 RtlUnwind
0x40a04c IsDebuggerPresent
0x40a050 IsProcessorFeaturePresent
0x40a054 GetLastError
0x40a058 InterlockedDecrement
0x40a05c ExitProcess
0x40a060 GetModuleHandleExW
0x40a064 GetProcAddress
0x40a068 MultiByteToWideChar
0x40a06c HeapSize
0x40a070 Sleep
0x40a074 GetStdHandle
0x40a078 WriteFile
0x40a07c GetModuleFileNameW
0x40a080 HeapFree
0x40a084 HeapAlloc
0x40a088 SetLastError
0x40a08c InterlockedIncrement
0x40a090 GetCurrentThreadId
0x40a094 GetProcessHeap
0x40a098 GetFileType
0x40a09c InitializeCriticalSectionAndSpinCount
0x40a0a0 DeleteCriticalSection
0x40a0a4 InitOnceExecuteOnce
0x40a0a8 GetStartupInfoW
0x40a0ac QueryPerformanceCounter
0x40a0b0 GetSystemTimeAsFileTime
0x40a0b4 GetTickCount64
0x40a0b8 GetEnvironmentStringsW
0x40a0bc FreeEnvironmentStringsW
0x40a0c0 UnhandledExceptionFilter
0x40a0c4 SetUnhandledExceptionFilter
0x40a0c8 FlsAlloc
0x40a0cc FlsGetValue
0x40a0d0 FlsSetValue
0x40a0d4 FlsFree
0x40a0d8 GetCurrentProcess
0x40a0dc TerminateProcess
0x40a0e0 EnterCriticalSection
0x40a0e4 LeaveCriticalSection
0x40a0e8 LoadLibraryExW
0x40a0ec IsValidCodePage
0x40a0f0 GetACP
0x40a0f4 GetOEMCP
0x40a0f8 GetCPInfo
0x40a0fc CreateFileW
USER32.dll
0x40a104 EndDialog
0x40a108 GetSystemMetrics
0x40a10c DestroyWindow
0x40a110 DefWindowProcW
0x40a114 DialogBoxParamW
0x40a118 PostQuitMessage
0x40a11c MessageBoxW
0x40a120 UpdateWindow
0x40a124 ShowWindow
0x40a128 CreateWindowExW
0x40a12c RegisterClassExW
0x40a130 LoadCursorW
0x40a134 LoadIconW
0x40a138 DispatchMessageW
0x40a13c TranslateMessage
0x40a140 TranslateAcceleratorW
0x40a144 GetMessageW
0x40a148 LoadAcceleratorsW
0x40a14c LoadStringW
EAT(Export Address Table) is none