ScreenShot
| Created | 2023.10.31 17:45 | Machine | s1_win7_x6401 |
| Filename | abd.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 52 detected (AIDetectMalware, Deyma, Windows, Amadey, Siggen21, Zusy, Save, malicious, ZexaF, tuW@a0HJc@fi, Genus, Attribute, HighConfidence, score, 046sIl9HhmS, YXDJ5Z, Static AI, Malicious PE, Detected, ai score=89, Eldorado, FCND, unsafe, Chgt, Gencirc, susgen, DropperX, confidence, 100%) | ||
| md5 | b6d627dcf04d04889b1f01a14ec12405 | ||
| sha256 | 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf | ||
| ssdeep | 6144:G77rhGafhHSBwHRqGJbdbZI44SGe4s8Lu67rvAOveiZavLb:G7rRSSHRnJfIrscu67TZhavL | ||
| imphash | f722e751a647e22fa4d7e966bdaa4f04 | ||
| impfuzzy | 48:9eRHXc3ncGOKZTc+JyNtSS1jGoZcc6g3GAF57fwwRLP2HN+5TPg:IZXlGjTc+JEtSS1jGoZc9c7RLCSzg | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process utsysc.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | infoStealer_browser_b_Zero | browser info stealer | binaries (download) |
| danger | Win_Amadey_Zero | Amadey bot | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey Bot Activity (POST) M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey Bot Activity (POST) M1
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x439044 Sleep
0x439048 GetTempPathA
0x43904c Wow64RevertWow64FsRedirection
0x439050 GetLastError
0x439054 GetFileAttributesA
0x439058 CreateFileA
0x43905c CloseHandle
0x439060 GetSystemInfo
0x439064 CreateThread
0x439068 GetThreadContext
0x43906c SetCurrentDirectoryA
0x439070 VirtualAllocEx
0x439074 RemoveDirectoryA
0x439078 ReadProcessMemory
0x43907c CreateProcessA
0x439080 CreateDirectoryA
0x439084 SetThreadContext
0x439088 ReadConsoleW
0x43908c SetEndOfFile
0x439090 HeapSize
0x439094 SetFilePointerEx
0x439098 GetModuleHandleA
0x43909c ResumeThread
0x4390a0 GetComputerNameExW
0x4390a4 GetVersionExW
0x4390a8 CreateMutexA
0x4390ac WaitForSingleObject
0x4390b0 PeekNamedPipe
0x4390b4 CreatePipe
0x4390b8 VirtualAlloc
0x4390bc Wow64DisableWow64FsRedirection
0x4390c0 WriteFile
0x4390c4 VirtualFree
0x4390c8 SetHandleInformation
0x4390cc WriteProcessMemory
0x4390d0 GetModuleFileNameA
0x4390d4 GetProcAddress
0x4390d8 ReadFile
0x4390dc GetConsoleMode
0x4390e0 GetConsoleCP
0x4390e4 FlushFileBuffers
0x4390e8 GetProcessHeap
0x4390ec SetEnvironmentVariableW
0x4390f0 FreeEnvironmentStringsW
0x4390f4 GetEnvironmentStringsW
0x4390f8 GetOEMCP
0x4390fc GetACP
0x439100 IsValidCodePage
0x439104 FindNextFileW
0x439108 FindFirstFileExW
0x43910c FindClose
0x439110 GetTimeZoneInformation
0x439114 HeapReAlloc
0x439118 SetStdHandle
0x43911c GetFullPathNameW
0x439120 GetCurrentDirectoryW
0x439124 DeleteFileW
0x439128 EnumSystemLocalesW
0x43912c GetUserDefaultLCID
0x439130 IsValidLocale
0x439134 HeapAlloc
0x439138 HeapFree
0x43913c WideCharToMultiByte
0x439140 EnterCriticalSection
0x439144 LeaveCriticalSection
0x439148 DeleteCriticalSection
0x43914c SetLastError
0x439150 InitializeCriticalSectionAndSpinCount
0x439154 CreateEventW
0x439158 SwitchToThread
0x43915c TlsAlloc
0x439160 TlsGetValue
0x439164 TlsSetValue
0x439168 TlsFree
0x43916c GetSystemTimeAsFileTime
0x439170 GetModuleHandleW
0x439174 EncodePointer
0x439178 DecodePointer
0x43917c MultiByteToWideChar
0x439180 CompareStringW
0x439184 LCMapStringW
0x439188 GetLocaleInfoW
0x43918c GetStringTypeW
0x439190 GetCPInfo
0x439194 SetEvent
0x439198 ResetEvent
0x43919c WaitForSingleObjectEx
0x4391a0 IsDebuggerPresent
0x4391a4 UnhandledExceptionFilter
0x4391a8 SetUnhandledExceptionFilter
0x4391ac GetStartupInfoW
0x4391b0 IsProcessorFeaturePresent
0x4391b4 QueryPerformanceCounter
0x4391b8 GetCurrentProcessId
0x4391bc GetCurrentThreadId
0x4391c0 InitializeSListHead
0x4391c4 GetCurrentProcess
0x4391c8 TerminateProcess
0x4391cc RaiseException
0x4391d0 RtlUnwind
0x4391d4 FreeLibrary
0x4391d8 LoadLibraryExW
0x4391dc ExitProcess
0x4391e0 GetModuleHandleExW
0x4391e4 CreateFileW
0x4391e8 GetDriveTypeW
0x4391ec GetFileInformationByHandle
0x4391f0 GetFileType
0x4391f4 SystemTimeToTzSpecificLocalTime
0x4391f8 FileTimeToSystemTime
0x4391fc GetModuleFileNameW
0x439200 GetStdHandle
0x439204 GetCommandLineA
0x439208 GetCommandLineW
0x43920c WriteConsoleW
USER32.dll
0x439228 GetSystemMetrics
0x43922c ReleaseDC
0x439230 GetDC
GDI32.dll
0x43902c CreateCompatibleBitmap
0x439030 SelectObject
0x439034 CreateCompatibleDC
0x439038 DeleteObject
0x43903c BitBlt
ADVAPI32.dll
0x439000 RegCloseKey
0x439004 RegGetValueA
0x439008 RegQueryValueExA
0x43900c GetSidSubAuthorityCount
0x439010 GetSidSubAuthority
0x439014 GetUserNameA
0x439018 LookupAccountNameA
0x43901c RegSetValueExA
0x439020 RegOpenKeyExA
0x439024 GetSidIdentifierAuthority
SHELL32.dll
0x439214 SHGetFolderPathA
0x439218 ShellExecuteA
0x43921c None
0x439220 SHFileOperationA
WININET.dll
0x439238 HttpOpenRequestA
0x43923c InternetReadFile
0x439240 InternetConnectA
0x439244 HttpSendRequestA
0x439248 InternetCloseHandle
0x43924c InternetOpenA
0x439250 HttpSendRequestExA
0x439254 HttpAddRequestHeadersA
0x439258 HttpEndRequestA
0x43925c InternetOpenW
0x439260 InternetOpenUrlA
0x439264 InternetWriteFile
gdiplus.dll
0x43926c GdipSaveImageToFile
0x439270 GdipGetImageEncodersSize
0x439274 GdipDisposeImage
0x439278 GdipCreateBitmapFromHBITMAP
0x43927c GdipGetImageEncoders
0x439280 GdiplusShutdown
0x439284 GdiplusStartup
EAT(Export Address Table) is none
KERNEL32.dll
0x439044 Sleep
0x439048 GetTempPathA
0x43904c Wow64RevertWow64FsRedirection
0x439050 GetLastError
0x439054 GetFileAttributesA
0x439058 CreateFileA
0x43905c CloseHandle
0x439060 GetSystemInfo
0x439064 CreateThread
0x439068 GetThreadContext
0x43906c SetCurrentDirectoryA
0x439070 VirtualAllocEx
0x439074 RemoveDirectoryA
0x439078 ReadProcessMemory
0x43907c CreateProcessA
0x439080 CreateDirectoryA
0x439084 SetThreadContext
0x439088 ReadConsoleW
0x43908c SetEndOfFile
0x439090 HeapSize
0x439094 SetFilePointerEx
0x439098 GetModuleHandleA
0x43909c ResumeThread
0x4390a0 GetComputerNameExW
0x4390a4 GetVersionExW
0x4390a8 CreateMutexA
0x4390ac WaitForSingleObject
0x4390b0 PeekNamedPipe
0x4390b4 CreatePipe
0x4390b8 VirtualAlloc
0x4390bc Wow64DisableWow64FsRedirection
0x4390c0 WriteFile
0x4390c4 VirtualFree
0x4390c8 SetHandleInformation
0x4390cc WriteProcessMemory
0x4390d0 GetModuleFileNameA
0x4390d4 GetProcAddress
0x4390d8 ReadFile
0x4390dc GetConsoleMode
0x4390e0 GetConsoleCP
0x4390e4 FlushFileBuffers
0x4390e8 GetProcessHeap
0x4390ec SetEnvironmentVariableW
0x4390f0 FreeEnvironmentStringsW
0x4390f4 GetEnvironmentStringsW
0x4390f8 GetOEMCP
0x4390fc GetACP
0x439100 IsValidCodePage
0x439104 FindNextFileW
0x439108 FindFirstFileExW
0x43910c FindClose
0x439110 GetTimeZoneInformation
0x439114 HeapReAlloc
0x439118 SetStdHandle
0x43911c GetFullPathNameW
0x439120 GetCurrentDirectoryW
0x439124 DeleteFileW
0x439128 EnumSystemLocalesW
0x43912c GetUserDefaultLCID
0x439130 IsValidLocale
0x439134 HeapAlloc
0x439138 HeapFree
0x43913c WideCharToMultiByte
0x439140 EnterCriticalSection
0x439144 LeaveCriticalSection
0x439148 DeleteCriticalSection
0x43914c SetLastError
0x439150 InitializeCriticalSectionAndSpinCount
0x439154 CreateEventW
0x439158 SwitchToThread
0x43915c TlsAlloc
0x439160 TlsGetValue
0x439164 TlsSetValue
0x439168 TlsFree
0x43916c GetSystemTimeAsFileTime
0x439170 GetModuleHandleW
0x439174 EncodePointer
0x439178 DecodePointer
0x43917c MultiByteToWideChar
0x439180 CompareStringW
0x439184 LCMapStringW
0x439188 GetLocaleInfoW
0x43918c GetStringTypeW
0x439190 GetCPInfo
0x439194 SetEvent
0x439198 ResetEvent
0x43919c WaitForSingleObjectEx
0x4391a0 IsDebuggerPresent
0x4391a4 UnhandledExceptionFilter
0x4391a8 SetUnhandledExceptionFilter
0x4391ac GetStartupInfoW
0x4391b0 IsProcessorFeaturePresent
0x4391b4 QueryPerformanceCounter
0x4391b8 GetCurrentProcessId
0x4391bc GetCurrentThreadId
0x4391c0 InitializeSListHead
0x4391c4 GetCurrentProcess
0x4391c8 TerminateProcess
0x4391cc RaiseException
0x4391d0 RtlUnwind
0x4391d4 FreeLibrary
0x4391d8 LoadLibraryExW
0x4391dc ExitProcess
0x4391e0 GetModuleHandleExW
0x4391e4 CreateFileW
0x4391e8 GetDriveTypeW
0x4391ec GetFileInformationByHandle
0x4391f0 GetFileType
0x4391f4 SystemTimeToTzSpecificLocalTime
0x4391f8 FileTimeToSystemTime
0x4391fc GetModuleFileNameW
0x439200 GetStdHandle
0x439204 GetCommandLineA
0x439208 GetCommandLineW
0x43920c WriteConsoleW
USER32.dll
0x439228 GetSystemMetrics
0x43922c ReleaseDC
0x439230 GetDC
GDI32.dll
0x43902c CreateCompatibleBitmap
0x439030 SelectObject
0x439034 CreateCompatibleDC
0x439038 DeleteObject
0x43903c BitBlt
ADVAPI32.dll
0x439000 RegCloseKey
0x439004 RegGetValueA
0x439008 RegQueryValueExA
0x43900c GetSidSubAuthorityCount
0x439010 GetSidSubAuthority
0x439014 GetUserNameA
0x439018 LookupAccountNameA
0x43901c RegSetValueExA
0x439020 RegOpenKeyExA
0x439024 GetSidIdentifierAuthority
SHELL32.dll
0x439214 SHGetFolderPathA
0x439218 ShellExecuteA
0x43921c None
0x439220 SHFileOperationA
WININET.dll
0x439238 HttpOpenRequestA
0x43923c InternetReadFile
0x439240 InternetConnectA
0x439244 HttpSendRequestA
0x439248 InternetCloseHandle
0x43924c InternetOpenA
0x439250 HttpSendRequestExA
0x439254 HttpAddRequestHeadersA
0x439258 HttpEndRequestA
0x43925c InternetOpenW
0x439260 InternetOpenUrlA
0x439264 InternetWriteFile
gdiplus.dll
0x43926c GdipSaveImageToFile
0x439270 GdipGetImageEncodersSize
0x439274 GdipDisposeImage
0x439278 GdipCreateBitmapFromHBITMAP
0x43927c GdipGetImageEncoders
0x439280 GdiplusShutdown
0x439284 GdiplusStartup
EAT(Export Address Table) is none