ScreenShot
| Created | 2023.09.02 18:30 | Machine | s1_win7_x6403 |
| Filename | ummaa.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 53 detected (AIDetectMalware, Malicious, score, TjnDroppr, Dapato, S28495190, GenericRXTU, Save, Razy, ZexaF, KqW@aKmNgYbi, Lazy, Eldorado, Attribute, HighConfidence, high confidence, Mqil, PRIVATELOADER, YXDIBZ, high, Static AI, Malicious PE, Amadey, 102OIFV, Detected, R497632, BScope, Nitol, ai score=80, unsafe, Genetic, DcRat, BNER4NzZWDL, Tnega, Tiny, confidence, 100%) | ||
| md5 | 58bc43389c3e720c0af4ff563d5ed7ce | ||
| sha256 | 4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f | ||
| ssdeep | 12288:ZR1BzB+BS5RMmF6We5AQtL8Luq2qL5e+iNqajC2UrhOhmfnRl:ZR1BzBGS5RMmF6We5AQKLJ2qjIqa1Ur5 | ||
| imphash | a9c887a4f18a3fede2cc29ceea138ed3 | ||
| impfuzzy | 6:HMJqX0umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqpRSY58PLPXn | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process oneetx.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Possible Kelihos.F EXE Download Common Structure
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x493ec0 malloc
0x493ec4 memset
0x493ec8 strcmp
0x493ecc strcpy
0x493ed0 getenv
0x493ed4 sprintf
0x493ed8 fopen
0x493edc fwrite
0x493ee0 fclose
0x493ee4 __argc
0x493ee8 __argv
0x493eec _environ
0x493ef0 _XcptFilter
0x493ef4 __set_app_type
0x493ef8 _controlfp
0x493efc __getmainargs
0x493f00 exit
shell32.dll
0x493f08 ShellExecuteA
kernel32.dll
0x493f10 SetUnhandledExceptionFilter
EAT(Export Address Table) is none
msvcrt.dll
0x493ec0 malloc
0x493ec4 memset
0x493ec8 strcmp
0x493ecc strcpy
0x493ed0 getenv
0x493ed4 sprintf
0x493ed8 fopen
0x493edc fwrite
0x493ee0 fclose
0x493ee4 __argc
0x493ee8 __argv
0x493eec _environ
0x493ef0 _XcptFilter
0x493ef4 __set_app_type
0x493ef8 _controlfp
0x493efc __getmainargs
0x493f00 exit
shell32.dll
0x493f08 ShellExecuteA
kernel32.dll
0x493f10 SetUnhandledExceptionFilter
EAT(Export Address Table) is none