ScreenShot
| Created | 2021.10.26 09:25 | Machine | s1_win7_x6403 |
| Filename | 1202120788.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 25 detected (malicious, high confidence, Unsafe, Save, confidence, ZexaF, yuW@aOfGKFci, Attribute, HighConfidence, GenKryptik, FMOK, ccmw, FileRepMetagen, Generic@ML, RDML, qqNYuXiQ1ilL0QgB4fSmQw, R + Mal, EncPk, Score, Sabsik, se28925, Static AI, Malicious PE) | ||
| md5 | f6be182d94ecfa6172e27d254444e88f | ||
| sha256 | 72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5 | ||
| ssdeep | 6144:hMh/XLfepxkjkB/UUwoNQYzkQ2nGz7dwLcfeoZ3i222BKEKnkRv:uXLmpxkjkB/rN1zkQ2nGz7dWW0k | ||
| imphash | f8446044d3827db30ca59c0186698c18 | ||
| impfuzzy | 6:dBJAEtwyRlb7GDMyFAiLiRgTA/En10J8SLby6ML:VAPqqDMyjLiOAM2J8SC/ | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET MALWARE Amadey CnC Check-In
ET MALWARE Amadey CnC Check-In
PE API
IAT(Import Address Table) Library
kernel32.dll
0x457008 LoadLibraryA
0x45700c VirtualAlloc
0x457010 VirtualProtect
0x457014 GetProcAddress
0x457018 lstrlenA
0x45701c lstrcatA
version.dll
0x45703c VerInstallFileW
user32.dll
0x457034 LoadKeyboardLayoutW
ole32.dll
0x457024 HICON_UserUnmarshal
shell32.dll
0x45702c StrRStrIW
GdiPlus.dll
0x4660c6 GdipAddPathClosedCurve2
EAT(Export Address Table) Library
0x421e04 DllCanUnloadNow
kernel32.dll
0x457008 LoadLibraryA
0x45700c VirtualAlloc
0x457010 VirtualProtect
0x457014 GetProcAddress
0x457018 lstrlenA
0x45701c lstrcatA
version.dll
0x45703c VerInstallFileW
user32.dll
0x457034 LoadKeyboardLayoutW
ole32.dll
0x457024 HICON_UserUnmarshal
shell32.dll
0x45702c StrRStrIW
GdiPlus.dll
0x4660c6 GdipAddPathClosedCurve2
EAT(Export Address Table) Library
0x421e04 DllCanUnloadNow