ScreenShot
| Created | 2023.09.30 13:04 | Machine | s1_win7_x6403 |
| Filename | Amadey.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, Windows, Amadey, Zusy, GenericPMF, S30511625, FCND, Save, malicious, ZexaF, ouW@amc4G5pi, Eldorado, Attribute, HighConfidence, score, Doina, BotX, Agen, Zimw, DownLoader46, YXDI3Z, Outbreak, Wacatac, Detected, ai score=86, unsafe, Genetic, Be6eNfNv8YM, Static AI, Malicious PE, susgen, confidence, 100%) | ||
| md5 | aebaf57299cd368f842cfa98f3b1658c | ||
| sha256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce | ||
| ssdeep | 6144:k5tErvkeLE0X7J7bhi1g6FKVu+dnX9ys8l+:CYkeg0Nbh6FKu+dnX | ||
| imphash | b4e0be0bbc0b6cf93837773846d3b934 | ||
| impfuzzy | 48:JpXUEHG1GOscpeqtSS1I2zZccgTg3NzF57fwwRLPwNWOmg:3XUJGdcpeqtSS1I2zZcty7RLodmg | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Disables proxy possibly for traffic interception |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process nhdues.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | infoStealer_browser_b_Zero | browser info stealer | binaries (download) |
| danger | Win_Amadey_Zero | Amadey bot | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42d044 CreateFileA
0x42d048 CloseHandle
0x42d04c GetSystemInfo
0x42d050 CreateThread
0x42d054 GetThreadContext
0x42d058 GetProcAddress
0x42d05c VirtualAllocEx
0x42d060 RemoveDirectoryA
0x42d064 GetFileAttributesA
0x42d068 CreateProcessA
0x42d06c CreateDirectoryA
0x42d070 SetThreadContext
0x42d074 WriteConsoleW
0x42d078 ReadConsoleW
0x42d07c SetEndOfFile
0x42d080 HeapReAlloc
0x42d084 HeapSize
0x42d088 GetLastError
0x42d08c CopyFileA
0x42d090 GetTempPathA
0x42d094 Sleep
0x42d098 GetModuleHandleA
0x42d09c SetCurrentDirectoryA
0x42d0a0 ResumeThread
0x42d0a4 GetComputerNameExW
0x42d0a8 GetVersionExW
0x42d0ac CreateMutexA
0x42d0b0 VirtualAlloc
0x42d0b4 WriteFile
0x42d0b8 VirtualFree
0x42d0bc WriteProcessMemory
0x42d0c0 GetModuleFileNameA
0x42d0c4 ReadProcessMemory
0x42d0c8 ReadFile
0x42d0cc SetFilePointerEx
0x42d0d0 GetTimeZoneInformation
0x42d0d4 GetConsoleMode
0x42d0d8 GetConsoleCP
0x42d0dc FlushFileBuffers
0x42d0e0 GetStringTypeW
0x42d0e4 GetProcessHeap
0x42d0e8 SetEnvironmentVariableW
0x42d0ec FreeEnvironmentStringsW
0x42d0f0 GetEnvironmentStringsW
0x42d0f4 WideCharToMultiByte
0x42d0f8 GetCPInfo
0x42d0fc GetOEMCP
0x42d100 GetACP
0x42d104 IsValidCodePage
0x42d108 FindNextFileW
0x42d10c FindFirstFileExW
0x42d110 FindClose
0x42d114 SetStdHandle
0x42d118 GetFullPathNameW
0x42d11c GetCurrentDirectoryW
0x42d120 DeleteFileW
0x42d124 EnterCriticalSection
0x42d128 LeaveCriticalSection
0x42d12c InitializeCriticalSectionAndSpinCount
0x42d130 DeleteCriticalSection
0x42d134 SetEvent
0x42d138 ResetEvent
0x42d13c WaitForSingleObjectEx
0x42d140 CreateEventW
0x42d144 GetModuleHandleW
0x42d148 IsDebuggerPresent
0x42d14c UnhandledExceptionFilter
0x42d150 SetUnhandledExceptionFilter
0x42d154 GetStartupInfoW
0x42d158 IsProcessorFeaturePresent
0x42d15c QueryPerformanceCounter
0x42d160 GetCurrentProcessId
0x42d164 GetCurrentThreadId
0x42d168 GetSystemTimeAsFileTime
0x42d16c InitializeSListHead
0x42d170 GetCurrentProcess
0x42d174 TerminateProcess
0x42d178 RaiseException
0x42d17c SetLastError
0x42d180 RtlUnwind
0x42d184 TlsAlloc
0x42d188 TlsGetValue
0x42d18c TlsSetValue
0x42d190 TlsFree
0x42d194 FreeLibrary
0x42d198 LoadLibraryExW
0x42d19c ExitProcess
0x42d1a0 GetModuleHandleExW
0x42d1a4 CreateFileW
0x42d1a8 GetDriveTypeW
0x42d1ac GetFileInformationByHandle
0x42d1b0 GetFileType
0x42d1b4 PeekNamedPipe
0x42d1b8 SystemTimeToTzSpecificLocalTime
0x42d1bc FileTimeToSystemTime
0x42d1c0 GetModuleFileNameW
0x42d1c4 GetStdHandle
0x42d1c8 GetCommandLineA
0x42d1cc GetCommandLineW
0x42d1d0 HeapFree
0x42d1d4 HeapAlloc
0x42d1d8 MultiByteToWideChar
0x42d1dc CompareStringW
0x42d1e0 LCMapStringW
0x42d1e4 DecodePointer
USER32.dll
0x42d1fc GetSystemMetrics
0x42d200 ReleaseDC
0x42d204 GetDC
GDI32.dll
0x42d02c CreateCompatibleBitmap
0x42d030 SelectObject
0x42d034 CreateCompatibleDC
0x42d038 DeleteObject
0x42d03c BitBlt
ADVAPI32.dll
0x42d000 RegCloseKey
0x42d004 RegGetValueA
0x42d008 RegQueryValueExA
0x42d00c GetSidSubAuthorityCount
0x42d010 GetSidSubAuthority
0x42d014 GetUserNameA
0x42d018 LookupAccountNameA
0x42d01c RegSetValueExA
0x42d020 RegOpenKeyExA
0x42d024 GetSidIdentifierAuthority
SHELL32.dll
0x42d1ec ShellExecuteA
0x42d1f0 None
0x42d1f4 SHGetFolderPathA
WININET.dll
0x42d20c HttpOpenRequestA
0x42d210 InternetWriteFile
0x42d214 InternetReadFile
0x42d218 InternetConnectA
0x42d21c HttpSendRequestA
0x42d220 InternetCloseHandle
0x42d224 InternetOpenA
0x42d228 HttpAddRequestHeadersA
0x42d22c HttpSendRequestExW
0x42d230 HttpEndRequestA
0x42d234 InternetOpenW
0x42d238 InternetOpenUrlA
gdiplus.dll
0x42d240 GdipSaveImageToFile
0x42d244 GdipGetImageEncodersSize
0x42d248 GdipDisposeImage
0x42d24c GdipCreateBitmapFromHBITMAP
0x42d250 GdipGetImageEncoders
0x42d254 GdiplusShutdown
0x42d258 GdiplusStartup
EAT(Export Address Table) is none
KERNEL32.dll
0x42d044 CreateFileA
0x42d048 CloseHandle
0x42d04c GetSystemInfo
0x42d050 CreateThread
0x42d054 GetThreadContext
0x42d058 GetProcAddress
0x42d05c VirtualAllocEx
0x42d060 RemoveDirectoryA
0x42d064 GetFileAttributesA
0x42d068 CreateProcessA
0x42d06c CreateDirectoryA
0x42d070 SetThreadContext
0x42d074 WriteConsoleW
0x42d078 ReadConsoleW
0x42d07c SetEndOfFile
0x42d080 HeapReAlloc
0x42d084 HeapSize
0x42d088 GetLastError
0x42d08c CopyFileA
0x42d090 GetTempPathA
0x42d094 Sleep
0x42d098 GetModuleHandleA
0x42d09c SetCurrentDirectoryA
0x42d0a0 ResumeThread
0x42d0a4 GetComputerNameExW
0x42d0a8 GetVersionExW
0x42d0ac CreateMutexA
0x42d0b0 VirtualAlloc
0x42d0b4 WriteFile
0x42d0b8 VirtualFree
0x42d0bc WriteProcessMemory
0x42d0c0 GetModuleFileNameA
0x42d0c4 ReadProcessMemory
0x42d0c8 ReadFile
0x42d0cc SetFilePointerEx
0x42d0d0 GetTimeZoneInformation
0x42d0d4 GetConsoleMode
0x42d0d8 GetConsoleCP
0x42d0dc FlushFileBuffers
0x42d0e0 GetStringTypeW
0x42d0e4 GetProcessHeap
0x42d0e8 SetEnvironmentVariableW
0x42d0ec FreeEnvironmentStringsW
0x42d0f0 GetEnvironmentStringsW
0x42d0f4 WideCharToMultiByte
0x42d0f8 GetCPInfo
0x42d0fc GetOEMCP
0x42d100 GetACP
0x42d104 IsValidCodePage
0x42d108 FindNextFileW
0x42d10c FindFirstFileExW
0x42d110 FindClose
0x42d114 SetStdHandle
0x42d118 GetFullPathNameW
0x42d11c GetCurrentDirectoryW
0x42d120 DeleteFileW
0x42d124 EnterCriticalSection
0x42d128 LeaveCriticalSection
0x42d12c InitializeCriticalSectionAndSpinCount
0x42d130 DeleteCriticalSection
0x42d134 SetEvent
0x42d138 ResetEvent
0x42d13c WaitForSingleObjectEx
0x42d140 CreateEventW
0x42d144 GetModuleHandleW
0x42d148 IsDebuggerPresent
0x42d14c UnhandledExceptionFilter
0x42d150 SetUnhandledExceptionFilter
0x42d154 GetStartupInfoW
0x42d158 IsProcessorFeaturePresent
0x42d15c QueryPerformanceCounter
0x42d160 GetCurrentProcessId
0x42d164 GetCurrentThreadId
0x42d168 GetSystemTimeAsFileTime
0x42d16c InitializeSListHead
0x42d170 GetCurrentProcess
0x42d174 TerminateProcess
0x42d178 RaiseException
0x42d17c SetLastError
0x42d180 RtlUnwind
0x42d184 TlsAlloc
0x42d188 TlsGetValue
0x42d18c TlsSetValue
0x42d190 TlsFree
0x42d194 FreeLibrary
0x42d198 LoadLibraryExW
0x42d19c ExitProcess
0x42d1a0 GetModuleHandleExW
0x42d1a4 CreateFileW
0x42d1a8 GetDriveTypeW
0x42d1ac GetFileInformationByHandle
0x42d1b0 GetFileType
0x42d1b4 PeekNamedPipe
0x42d1b8 SystemTimeToTzSpecificLocalTime
0x42d1bc FileTimeToSystemTime
0x42d1c0 GetModuleFileNameW
0x42d1c4 GetStdHandle
0x42d1c8 GetCommandLineA
0x42d1cc GetCommandLineW
0x42d1d0 HeapFree
0x42d1d4 HeapAlloc
0x42d1d8 MultiByteToWideChar
0x42d1dc CompareStringW
0x42d1e0 LCMapStringW
0x42d1e4 DecodePointer
USER32.dll
0x42d1fc GetSystemMetrics
0x42d200 ReleaseDC
0x42d204 GetDC
GDI32.dll
0x42d02c CreateCompatibleBitmap
0x42d030 SelectObject
0x42d034 CreateCompatibleDC
0x42d038 DeleteObject
0x42d03c BitBlt
ADVAPI32.dll
0x42d000 RegCloseKey
0x42d004 RegGetValueA
0x42d008 RegQueryValueExA
0x42d00c GetSidSubAuthorityCount
0x42d010 GetSidSubAuthority
0x42d014 GetUserNameA
0x42d018 LookupAccountNameA
0x42d01c RegSetValueExA
0x42d020 RegOpenKeyExA
0x42d024 GetSidIdentifierAuthority
SHELL32.dll
0x42d1ec ShellExecuteA
0x42d1f0 None
0x42d1f4 SHGetFolderPathA
WININET.dll
0x42d20c HttpOpenRequestA
0x42d210 InternetWriteFile
0x42d214 InternetReadFile
0x42d218 InternetConnectA
0x42d21c HttpSendRequestA
0x42d220 InternetCloseHandle
0x42d224 InternetOpenA
0x42d228 HttpAddRequestHeadersA
0x42d22c HttpSendRequestExW
0x42d230 HttpEndRequestA
0x42d234 InternetOpenW
0x42d238 InternetOpenUrlA
gdiplus.dll
0x42d240 GdipSaveImageToFile
0x42d244 GdipGetImageEncodersSize
0x42d248 GdipDisposeImage
0x42d24c GdipCreateBitmapFromHBITMAP
0x42d250 GdipGetImageEncoders
0x42d254 GdiplusShutdown
0x42d258 GdiplusStartup
EAT(Export Address Table) is none