popup

Report - AAAd.exe

Gen1 HermeticWiper Emotet Browser Login Data Stealer Generic Malware Downloader UPX Malicious Library Malicious Packer Antivirus Admin Tool (Sysinternals etc ...) DGA Socket HTTP PWS Http API Internet API Escalate priviledges Anti_VM AntiDebug A
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.26 08:14 Machine s1_win7_x6401
Filename AAAd.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
10.0
ZERO API file : malware
VT API (file) 51 detected (AIDetectMalware, Siggen20, Zusy, Doina, Save, Amadey, malicious, confidence, 100%, ZexaF, ouW@aWGuoNki, Eldorado, Attribute, HighConfidence, high confidence, score, Deyma, BotX, Agen, Njgl, YXDFXZ, Static AI, Malicious PE, ai score=85, LXCUSU, Detected, FCND, unsafe, GdSda, Generic@AI, RDML, nsu7q1pN70IgBYqlEu3h2Q, susgen, EGTS)
md5 3dd072d71907f6d5a5b046908c081f11
sha256 1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1
ssdeep 6144:0s9bFCavQJdMSzPgI0KIikB/NiFEZu7dRmV:pbFCRMcRIiTFgu7dR
imphash ff195cccada6bfe977f7c90930774f78
impfuzzy 48:ggXgEHG1GOscpe2toS182zZccgTg3NzF57fwwRLP2HN+guPg:pXgJGdcpe2toS182zZcty7RLClSg
  Network IP location

Signature (47cnts)

Level Description
danger File has been identified by 51 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Checks the version of Bios
watch Communicates with host for which no DNS query was performed
watch Detects Avast Antivirus through the presence of a library
watch Detects VirtualBox using WNetGetProviderName trick
watch Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch The process powershell.exe wrote an executable file to disk
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for known Chinese AV sofware registry keys
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice URL downloaded by powershell script
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Powershell script has download & invoke calls
info Queries for the computername
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (46cnts)

Level Name Description Collection
danger HermeticWiper_Zero HermeticWiper binaries (download)
danger infoStealer_browser_b_Zero browser info stealer binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch Network_Downloader File Downloader binaries (download)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_DGA Communication using DGA memory
notice Network_HTTP Communications over HTTP memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info icon_file_format icon file format binaries (download)
info Is_DotNET_DLL (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info PowerShell PowerShell script scripts
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info PowershellDI Extract Download/Invoke calls from powershell script scripts

Network (39cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://109.206.241.33/9bDc8sQ/Plugins/cred64.dll
whois
Unknown 109.206.241.33 clean
http://109.206.241.33/9bDc8sQ/index.php?scr=1
whois
Unknown 109.206.241.33 clean
http://79.137.192.3/staticlittlesource.exe
whois
RU Psk-set LLC 79.137.192.3 clean
http://85.217.144.143/files/My2.exe
whois
Unknown 85.217.144.143 clean
http://85.217.144.228/files/AAAd1.exe
whois
Unknown 85.217.144.228 malware
http://195.123.226.82/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM
whois
BG ITL LLC 195.123.226.82 34561 mailcious
http://galandskiyher2.com/downloads/toolspub1.exe
whois
Unknown 194.50.153.68 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.19 clean
http://109.206.241.33/9bDc8sQ/Plugins/clip64.dll
whois
Unknown 109.206.241.33 clean
http://85.217.144.143/files/setup.exe
whois
Unknown 85.217.144.143 clean
http://gejevesd.beget.tech/385118/setup.exe
whois
RU Beget LLC 91.106.207.112 clean
http://109.206.241.33/9bDc8sQ/index.php
whois
Unknown 109.206.241.33 clean
https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/download/11.2.0.11537/300.910/WPSOffice_11.2.0.11537.exe
whois
US CLOUDFLARENET 104.17.187.189 clean
https://sungeomatics.com/css/colors/cc2.exe
whois
US IMH-WEST 205.134.251.88 34563 malware
https://sungeomatics.com/css/colors/cc1.php
whois
US IMH-WEST 205.134.251.88 34595 mailcious
https://sungeomatics.com/css/colors/cc4.exe
whois
US IMH-WEST 205.134.251.88 34565 malware
https://sungeomatics.com/css/colors/debug2.ps1
whois
US IMH-WEST 205.134.251.88 34560 mailcious
https://sungeomatics.com/css/colors/cc5.exe
whois
US IMH-WEST 205.134.251.88 34566 malware
https://sungeomatics.com/css/colors/dd_64.exe
whois
US IMH-WEST 205.134.251.88 34562 malware
https://sungeomatics.com/css/colors/cc3.exe
whois
US IMH-WEST 205.134.251.88 34564 malware
https://sungeomatics.com/css/colors/postmon.exe
whois
US IMH-WEST 205.134.251.88 malware
https://sungeomatics.com/css/colors/cc2.php
whois
US IMH-WEST 205.134.251.88 34597 mailcious
https://sungeomatics.com/css/colors/cc3.php
whois
US IMH-WEST 205.134.251.88 34596 mailcious
foryourbar.org
whois
US CLOUDFLARENET 172.67.205.237 clean
galandskiyher2.com
whois
Unknown 194.50.153.68 clean
wdl1.pcfg.cache.wpscdn.com
whois
US CLOUDFLARENET 104.17.188.189 clean
gejevesd.beget.tech
whois
RU Beget LLC 91.106.207.112 clean
sungeomatics.com
whois
US IMH-WEST 205.134.251.88 mailcious
91.106.207.112
whois
RU Beget LLC 91.106.207.112 mailcious
85.217.144.143
whois
Unknown 85.217.144.143 malware
195.123.226.82
whois
BG ITL LLC 195.123.226.82 mailcious
104.17.187.189
whois
US CLOUDFLARENET 104.17.187.189 clean
85.217.144.228
whois
Unknown 85.217.144.228 malware
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
194.50.153.68
whois
Unknown 194.50.153.68 malware
109.206.241.33
whois
Unknown 109.206.241.33 mailcious
172.67.205.237
whois
US CLOUDFLARENET 172.67.205.237 clean
205.134.251.88
whois
US IMH-WEST 205.134.251.88 mailcious
79.137.192.3
whois
RU Psk-set LLC 79.137.192.3 clean

Suricata ids

ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Amadey Bot Activity (POST) M1
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET MALWARE Amadey Bot Activity (POST)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET INFO Dotted Quad Host DLL Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x42e044 CloseHandle
 0x42e048 GetSystemInfo
 0x42e04c CreateThread
 0x42e050 GetThreadContext
 0x42e054 GetProcAddress
 0x42e058 VirtualAllocEx
 0x42e05c RemoveDirectoryA
 0x42e060 CreateFileA
 0x42e064 CreateProcessA
 0x42e068 CreateDirectoryA
 0x42e06c SetThreadContext
 0x42e070 WriteConsoleW
 0x42e074 ReadConsoleW
 0x42e078 SetEndOfFile
 0x42e07c HeapReAlloc
 0x42e080 HeapSize
 0x42e084 GetFileAttributesA
 0x42e088 GetLastError
 0x42e08c GetTempPathA
 0x42e090 Sleep
 0x42e094 GetModuleHandleA
 0x42e098 SetCurrentDirectoryA
 0x42e09c ResumeThread
 0x42e0a0 GetComputerNameExW
 0x42e0a4 GetVersionExW
 0x42e0a8 CreateMutexA
 0x42e0ac VirtualAlloc
 0x42e0b0 WriteFile
 0x42e0b4 VirtualFree
 0x42e0b8 WriteProcessMemory
 0x42e0bc GetModuleFileNameA
 0x42e0c0 ReadProcessMemory
 0x42e0c4 ReadFile
 0x42e0c8 SetFilePointerEx
 0x42e0cc GetTimeZoneInformation
 0x42e0d0 GetConsoleMode
 0x42e0d4 GetConsoleCP
 0x42e0d8 FlushFileBuffers
 0x42e0dc GetStringTypeW
 0x42e0e0 GetProcessHeap
 0x42e0e4 SetEnvironmentVariableW
 0x42e0e8 FreeEnvironmentStringsW
 0x42e0ec GetEnvironmentStringsW
 0x42e0f0 WideCharToMultiByte
 0x42e0f4 GetCPInfo
 0x42e0f8 GetOEMCP
 0x42e0fc GetACP
 0x42e100 IsValidCodePage
 0x42e104 FindNextFileW
 0x42e108 FindFirstFileExW
 0x42e10c FindClose
 0x42e110 SetStdHandle
 0x42e114 GetFullPathNameW
 0x42e118 GetCurrentDirectoryW
 0x42e11c DeleteFileW
 0x42e120 EnterCriticalSection
 0x42e124 LeaveCriticalSection
 0x42e128 InitializeCriticalSectionAndSpinCount
 0x42e12c DeleteCriticalSection
 0x42e130 SetEvent
 0x42e134 ResetEvent
 0x42e138 WaitForSingleObjectEx
 0x42e13c CreateEventW
 0x42e140 GetModuleHandleW
 0x42e144 UnhandledExceptionFilter
 0x42e148 SetUnhandledExceptionFilter
 0x42e14c GetCurrentProcess
 0x42e150 TerminateProcess
 0x42e154 IsProcessorFeaturePresent
 0x42e158 IsDebuggerPresent
 0x42e15c GetStartupInfoW
 0x42e160 QueryPerformanceCounter
 0x42e164 GetCurrentProcessId
 0x42e168 GetCurrentThreadId
 0x42e16c GetSystemTimeAsFileTime
 0x42e170 InitializeSListHead
 0x42e174 RaiseException
 0x42e178 SetLastError
 0x42e17c RtlUnwind
 0x42e180 TlsAlloc
 0x42e184 TlsGetValue
 0x42e188 TlsSetValue
 0x42e18c TlsFree
 0x42e190 FreeLibrary
 0x42e194 LoadLibraryExW
 0x42e198 ExitProcess
 0x42e19c GetModuleHandleExW
 0x42e1a0 CreateFileW
 0x42e1a4 GetDriveTypeW
 0x42e1a8 GetFileInformationByHandle
 0x42e1ac GetFileType
 0x42e1b0 PeekNamedPipe
 0x42e1b4 SystemTimeToTzSpecificLocalTime
 0x42e1b8 FileTimeToSystemTime
 0x42e1bc GetModuleFileNameW
 0x42e1c0 GetStdHandle
 0x42e1c4 GetCommandLineA
 0x42e1c8 GetCommandLineW
 0x42e1cc HeapFree
 0x42e1d0 HeapAlloc
 0x42e1d4 MultiByteToWideChar
 0x42e1d8 CompareStringW
 0x42e1dc LCMapStringW
 0x42e1e0 DecodePointer
USER32.dll
 0x42e1fc GetSystemMetrics
 0x42e200 ReleaseDC
 0x42e204 GetDC
GDI32.dll
 0x42e02c CreateCompatibleBitmap
 0x42e030 SelectObject
 0x42e034 CreateCompatibleDC
 0x42e038 DeleteObject
 0x42e03c BitBlt
ADVAPI32.dll
 0x42e000 RegCloseKey
 0x42e004 RegGetValueA
 0x42e008 RegQueryValueExA
 0x42e00c GetSidSubAuthorityCount
 0x42e010 GetSidSubAuthority
 0x42e014 GetUserNameA
 0x42e018 LookupAccountNameA
 0x42e01c RegSetValueExA
 0x42e020 RegOpenKeyExA
 0x42e024 GetSidIdentifierAuthority
SHELL32.dll
 0x42e1e8 SHGetFolderPathA
 0x42e1ec ShellExecuteA
 0x42e1f0 None
 0x42e1f4 SHFileOperationA
WININET.dll
 0x42e20c HttpOpenRequestA
 0x42e210 InternetReadFile
 0x42e214 InternetConnectA
 0x42e218 HttpSendRequestA
 0x42e21c InternetCloseHandle
 0x42e220 InternetOpenA
 0x42e224 HttpAddRequestHeadersA
 0x42e228 HttpSendRequestExW
 0x42e22c HttpEndRequestA
 0x42e230 InternetOpenW
 0x42e234 InternetOpenUrlA
 0x42e238 InternetWriteFile
gdiplus.dll
 0x42e240 GdipSaveImageToFile
 0x42e244 GdipGetImageEncodersSize
 0x42e248 GdipDisposeImage
 0x42e24c GdipCreateBitmapFromHBITMAP
 0x42e250 GdipGetImageEncoders
 0x42e254 GdiplusShutdown
 0x42e258 GdiplusStartup

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure