popup

Report - Rocks.exe

Amadey UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.15 17:28 Machine s1_win7_x6403
Filename Rocks.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
10.4
ZERO API file : malware
VT API (file) 60 detected (Common, Convagent, malicious, high confidence, DownLoader45, Doina, GenericRI, S30172984, Amadey, Save, confidence, 100%, Genus, Eldorado, Attribute, HighConfidence, score, jygpbq, BotX, Deyma, Nekark, amrbc, YXDFGZ, Sabsik, Malware@#2qbmiqywvx3tl, Detected, R586656, FCND, ai score=100, unsafe, Genetic, UF2QdyMW7ZN, aIAcY5BBUz0, Static AI, Malicious PE, susgen)
md5 a64a886a695ed5fb9273e73241fec2f7
sha256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
ssdeep 3072:lWgR9+o+G2K47yLk6E9EzwHxFTTDYUSNt2kLu5gf7or7wy+wXRcWfnPjt:lWu+5a4ukZSwH/TT2NE4u5gTovv
imphash f8cc61ade86cb7277d0ab974de6323cb
impfuzzy 48:2EGXMrJGGO/cpe2toS182zZccgTg3IZSqXHN+W:IXMoGmcpe2toS182zZct4oL
  Network IP location

Signature (22cnts)

Level Description
danger File has been identified by 60 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Uses suspicious command line tools or Windows utilities
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process oneetx.exe
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Command line console output was observed
info Queries for the computername
info This executable has a PDB path

Rules (13cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://5.42.65.80/8bmeVwqx/index.php
whois
RU CJSC Kolomna-Sviaz TV 5.42.65.80 36023 mailcious
http://5.42.65.80/ss41.exe
whois
RU CJSC Kolomna-Sviaz TV 5.42.65.80 mailcious
z.nnnaajjjgc.com
whois
US HK Kwaifong Group Limited 156.236.72.121 malware
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
5.42.65.80
whois
RU CJSC Kolomna-Sviaz TV 5.42.65.80 malware
95.214.27.254
whois
DE CMCS 95.214.27.254 malware

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey Bot Activity (POST)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x427024 GetFileAttributesA
 0x427028 CreateFileA
 0x42702c CloseHandle
 0x427030 GetSystemInfo
 0x427034 CreateThread
 0x427038 HeapAlloc
 0x42703c GetThreadContext
 0x427040 GetProcAddress
 0x427044 VirtualAllocEx
 0x427048 LocalFree
 0x42704c GetLastError
 0x427050 ReadProcessMemory
 0x427054 GetProcessHeap
 0x427058 CreateProcessA
 0x42705c CreateDirectoryA
 0x427060 SetThreadContext
 0x427064 WriteConsoleW
 0x427068 ReadConsoleW
 0x42706c SetEndOfFile
 0x427070 SetFilePointerEx
 0x427074 GetTempPathA
 0x427078 Sleep
 0x42707c SetCurrentDirectoryA
 0x427080 GetModuleHandleA
 0x427084 GetComputerNameExW
 0x427088 ResumeThread
 0x42708c GetVersionExW
 0x427090 CreateMutexA
 0x427094 VirtualAlloc
 0x427098 WriteFile
 0x42709c VirtualFree
 0x4270a0 HeapFree
 0x4270a4 WriteProcessMemory
 0x4270a8 GetModuleFileNameA
 0x4270ac RemoveDirectoryA
 0x4270b0 ReadFile
 0x4270b4 HeapReAlloc
 0x4270b8 HeapSize
 0x4270bc GetTimeZoneInformation
 0x4270c0 GetConsoleMode
 0x4270c4 GetConsoleCP
 0x4270c8 FlushFileBuffers
 0x4270cc GetStringTypeW
 0x4270d0 SetEnvironmentVariableW
 0x4270d4 FreeEnvironmentStringsW
 0x4270d8 GetEnvironmentStringsW
 0x4270dc WideCharToMultiByte
 0x4270e0 GetCPInfo
 0x4270e4 GetOEMCP
 0x4270e8 GetACP
 0x4270ec IsValidCodePage
 0x4270f0 FindNextFileW
 0x4270f4 FindFirstFileExW
 0x4270f8 FindClose
 0x4270fc SetStdHandle
 0x427100 GetFullPathNameW
 0x427104 GetCurrentDirectoryW
 0x427108 DeleteFileW
 0x42710c LCMapStringW
 0x427110 EnterCriticalSection
 0x427114 LeaveCriticalSection
 0x427118 InitializeCriticalSectionAndSpinCount
 0x42711c DeleteCriticalSection
 0x427120 SetEvent
 0x427124 ResetEvent
 0x427128 WaitForSingleObjectEx
 0x42712c CreateEventW
 0x427130 GetModuleHandleW
 0x427134 UnhandledExceptionFilter
 0x427138 SetUnhandledExceptionFilter
 0x42713c GetCurrentProcess
 0x427140 TerminateProcess
 0x427144 IsProcessorFeaturePresent
 0x427148 IsDebuggerPresent
 0x42714c GetStartupInfoW
 0x427150 QueryPerformanceCounter
 0x427154 GetCurrentProcessId
 0x427158 GetCurrentThreadId
 0x42715c GetSystemTimeAsFileTime
 0x427160 InitializeSListHead
 0x427164 RaiseException
 0x427168 SetLastError
 0x42716c RtlUnwind
 0x427170 TlsAlloc
 0x427174 TlsGetValue
 0x427178 TlsSetValue
 0x42717c TlsFree
 0x427180 FreeLibrary
 0x427184 LoadLibraryExW
 0x427188 ExitProcess
 0x42718c GetModuleHandleExW
 0x427190 CreateFileW
 0x427194 GetDriveTypeW
 0x427198 GetFileInformationByHandle
 0x42719c GetFileType
 0x4271a0 PeekNamedPipe
 0x4271a4 SystemTimeToTzSpecificLocalTime
 0x4271a8 FileTimeToSystemTime
 0x4271ac GetModuleFileNameW
 0x4271b0 GetStdHandle
 0x4271b4 GetCommandLineA
 0x4271b8 GetCommandLineW
 0x4271bc MultiByteToWideChar
 0x4271c0 CompareStringW
 0x4271c4 DecodePointer
ADVAPI32.dll
 0x427000 RegCloseKey
 0x427004 RegQueryValueExA
 0x427008 GetUserNameA
 0x42700c RegSetValueExA
 0x427010 RegOpenKeyExA
 0x427014 ConvertSidToStringSidW
 0x427018 GetUserNameW
 0x42701c LookupAccountNameW
SHELL32.dll
 0x4271cc SHGetFolderPathA
 0x4271d0 ShellExecuteA
 0x4271d4 None
 0x4271d8 SHFileOperationA
WININET.dll
 0x4271e0 HttpOpenRequestA
 0x4271e4 InternetReadFile
 0x4271e8 InternetConnectA
 0x4271ec HttpSendRequestA
 0x4271f0 InternetCloseHandle
 0x4271f4 InternetOpenA
 0x4271f8 InternetOpenW
 0x4271fc InternetOpenUrlA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure