ScreenShot
| Created | 2023.06.08 09:24 | Machine | s1_win7_x6401 |
| Filename | sonne.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | f4af549b7d5af2412c9b092cbe5610d1 | ||
| sha256 | 37866bce927c1c7a29c83a74d23b17ff60323751da00d678eba6b6ee2dcd3a02 | ||
| ssdeep | 3072:H/DmgskHbfHN+Pst60p0zuNmnKG7peNMQbuZAIqbey3lfbi:fDmfAfHN+wiuInRexuZAIij | ||
| imphash | f8cc61ade86cb7277d0ab974de6323cb | ||
| impfuzzy | 48:2EGXMrJGGO/cpe2toS182zZccgTg3IZSqXHN+W:IXMoGmcpe2toS182zZct4oL | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process lamod.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x429024 GetFileAttributesA
0x429028 CreateFileA
0x42902c CloseHandle
0x429030 GetSystemInfo
0x429034 CreateThread
0x429038 HeapAlloc
0x42903c GetThreadContext
0x429040 GetProcAddress
0x429044 VirtualAllocEx
0x429048 LocalFree
0x42904c GetLastError
0x429050 ReadProcessMemory
0x429054 GetProcessHeap
0x429058 CreateProcessA
0x42905c CreateDirectoryA
0x429060 SetThreadContext
0x429064 WriteConsoleW
0x429068 ReadConsoleW
0x42906c SetEndOfFile
0x429070 SetFilePointerEx
0x429074 GetTempPathA
0x429078 Sleep
0x42907c SetCurrentDirectoryA
0x429080 GetModuleHandleA
0x429084 GetComputerNameExW
0x429088 ResumeThread
0x42908c GetVersionExW
0x429090 CreateMutexA
0x429094 VirtualAlloc
0x429098 WriteFile
0x42909c VirtualFree
0x4290a0 HeapFree
0x4290a4 WriteProcessMemory
0x4290a8 GetModuleFileNameA
0x4290ac RemoveDirectoryA
0x4290b0 ReadFile
0x4290b4 HeapReAlloc
0x4290b8 HeapSize
0x4290bc GetTimeZoneInformation
0x4290c0 GetConsoleMode
0x4290c4 GetConsoleCP
0x4290c8 FlushFileBuffers
0x4290cc GetStringTypeW
0x4290d0 SetEnvironmentVariableW
0x4290d4 FreeEnvironmentStringsW
0x4290d8 GetEnvironmentStringsW
0x4290dc WideCharToMultiByte
0x4290e0 GetCPInfo
0x4290e4 GetOEMCP
0x4290e8 GetACP
0x4290ec IsValidCodePage
0x4290f0 FindNextFileW
0x4290f4 FindFirstFileExW
0x4290f8 FindClose
0x4290fc SetStdHandle
0x429100 GetFullPathNameW
0x429104 GetCurrentDirectoryW
0x429108 DeleteFileW
0x42910c LCMapStringW
0x429110 EnterCriticalSection
0x429114 LeaveCriticalSection
0x429118 InitializeCriticalSectionAndSpinCount
0x42911c DeleteCriticalSection
0x429120 SetEvent
0x429124 ResetEvent
0x429128 WaitForSingleObjectEx
0x42912c CreateEventW
0x429130 GetModuleHandleW
0x429134 UnhandledExceptionFilter
0x429138 SetUnhandledExceptionFilter
0x42913c GetCurrentProcess
0x429140 TerminateProcess
0x429144 IsProcessorFeaturePresent
0x429148 IsDebuggerPresent
0x42914c GetStartupInfoW
0x429150 QueryPerformanceCounter
0x429154 GetCurrentProcessId
0x429158 GetCurrentThreadId
0x42915c GetSystemTimeAsFileTime
0x429160 InitializeSListHead
0x429164 RaiseException
0x429168 SetLastError
0x42916c RtlUnwind
0x429170 TlsAlloc
0x429174 TlsGetValue
0x429178 TlsSetValue
0x42917c TlsFree
0x429180 FreeLibrary
0x429184 LoadLibraryExW
0x429188 ExitProcess
0x42918c GetModuleHandleExW
0x429190 CreateFileW
0x429194 GetDriveTypeW
0x429198 GetFileInformationByHandle
0x42919c GetFileType
0x4291a0 PeekNamedPipe
0x4291a4 SystemTimeToTzSpecificLocalTime
0x4291a8 FileTimeToSystemTime
0x4291ac GetModuleFileNameW
0x4291b0 GetStdHandle
0x4291b4 GetCommandLineA
0x4291b8 GetCommandLineW
0x4291bc MultiByteToWideChar
0x4291c0 CompareStringW
0x4291c4 DecodePointer
ADVAPI32.dll
0x429000 RegCloseKey
0x429004 RegQueryValueExA
0x429008 GetUserNameA
0x42900c RegSetValueExA
0x429010 RegOpenKeyExA
0x429014 ConvertSidToStringSidW
0x429018 GetUserNameW
0x42901c LookupAccountNameW
SHELL32.dll
0x4291cc SHGetFolderPathA
0x4291d0 ShellExecuteA
0x4291d4 None
0x4291d8 SHFileOperationA
WININET.dll
0x4291e0 HttpOpenRequestA
0x4291e4 InternetReadFile
0x4291e8 InternetConnectA
0x4291ec HttpSendRequestA
0x4291f0 InternetCloseHandle
0x4291f4 InternetOpenA
0x4291f8 InternetOpenW
0x4291fc InternetOpenUrlA
EAT(Export Address Table) is none
KERNEL32.dll
0x429024 GetFileAttributesA
0x429028 CreateFileA
0x42902c CloseHandle
0x429030 GetSystemInfo
0x429034 CreateThread
0x429038 HeapAlloc
0x42903c GetThreadContext
0x429040 GetProcAddress
0x429044 VirtualAllocEx
0x429048 LocalFree
0x42904c GetLastError
0x429050 ReadProcessMemory
0x429054 GetProcessHeap
0x429058 CreateProcessA
0x42905c CreateDirectoryA
0x429060 SetThreadContext
0x429064 WriteConsoleW
0x429068 ReadConsoleW
0x42906c SetEndOfFile
0x429070 SetFilePointerEx
0x429074 GetTempPathA
0x429078 Sleep
0x42907c SetCurrentDirectoryA
0x429080 GetModuleHandleA
0x429084 GetComputerNameExW
0x429088 ResumeThread
0x42908c GetVersionExW
0x429090 CreateMutexA
0x429094 VirtualAlloc
0x429098 WriteFile
0x42909c VirtualFree
0x4290a0 HeapFree
0x4290a4 WriteProcessMemory
0x4290a8 GetModuleFileNameA
0x4290ac RemoveDirectoryA
0x4290b0 ReadFile
0x4290b4 HeapReAlloc
0x4290b8 HeapSize
0x4290bc GetTimeZoneInformation
0x4290c0 GetConsoleMode
0x4290c4 GetConsoleCP
0x4290c8 FlushFileBuffers
0x4290cc GetStringTypeW
0x4290d0 SetEnvironmentVariableW
0x4290d4 FreeEnvironmentStringsW
0x4290d8 GetEnvironmentStringsW
0x4290dc WideCharToMultiByte
0x4290e0 GetCPInfo
0x4290e4 GetOEMCP
0x4290e8 GetACP
0x4290ec IsValidCodePage
0x4290f0 FindNextFileW
0x4290f4 FindFirstFileExW
0x4290f8 FindClose
0x4290fc SetStdHandle
0x429100 GetFullPathNameW
0x429104 GetCurrentDirectoryW
0x429108 DeleteFileW
0x42910c LCMapStringW
0x429110 EnterCriticalSection
0x429114 LeaveCriticalSection
0x429118 InitializeCriticalSectionAndSpinCount
0x42911c DeleteCriticalSection
0x429120 SetEvent
0x429124 ResetEvent
0x429128 WaitForSingleObjectEx
0x42912c CreateEventW
0x429130 GetModuleHandleW
0x429134 UnhandledExceptionFilter
0x429138 SetUnhandledExceptionFilter
0x42913c GetCurrentProcess
0x429140 TerminateProcess
0x429144 IsProcessorFeaturePresent
0x429148 IsDebuggerPresent
0x42914c GetStartupInfoW
0x429150 QueryPerformanceCounter
0x429154 GetCurrentProcessId
0x429158 GetCurrentThreadId
0x42915c GetSystemTimeAsFileTime
0x429160 InitializeSListHead
0x429164 RaiseException
0x429168 SetLastError
0x42916c RtlUnwind
0x429170 TlsAlloc
0x429174 TlsGetValue
0x429178 TlsSetValue
0x42917c TlsFree
0x429180 FreeLibrary
0x429184 LoadLibraryExW
0x429188 ExitProcess
0x42918c GetModuleHandleExW
0x429190 CreateFileW
0x429194 GetDriveTypeW
0x429198 GetFileInformationByHandle
0x42919c GetFileType
0x4291a0 PeekNamedPipe
0x4291a4 SystemTimeToTzSpecificLocalTime
0x4291a8 FileTimeToSystemTime
0x4291ac GetModuleFileNameW
0x4291b0 GetStdHandle
0x4291b4 GetCommandLineA
0x4291b8 GetCommandLineW
0x4291bc MultiByteToWideChar
0x4291c0 CompareStringW
0x4291c4 DecodePointer
ADVAPI32.dll
0x429000 RegCloseKey
0x429004 RegQueryValueExA
0x429008 GetUserNameA
0x42900c RegSetValueExA
0x429010 RegOpenKeyExA
0x429014 ConvertSidToStringSidW
0x429018 GetUserNameW
0x42901c LookupAccountNameW
SHELL32.dll
0x4291cc SHGetFolderPathA
0x4291d0 ShellExecuteA
0x4291d4 None
0x4291d8 SHFileOperationA
WININET.dll
0x4291e0 HttpOpenRequestA
0x4291e4 InternetReadFile
0x4291e8 InternetConnectA
0x4291ec HttpSendRequestA
0x4291f0 InternetCloseHandle
0x4291f4 InternetOpenA
0x4291f8 InternetOpenW
0x4291fc InternetOpenUrlA
EAT(Export Address Table) is none