ScreenShot
Created | 2023.11.03 18:29 | Machine | s1_win7_x6401 |
Filename | Amadey.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | |||
md5 | 5d0310efbb0ea7ead8624b0335b21b7b | ||
sha256 | a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a | ||
ssdeep | 6144:Rb6w2ysktItqrvJ8oGJJWfZRXIjqGlG4u67+lAOHziULb:RNtmqjJ8xJmRGltu67sfL | ||
imphash | f722e751a647e22fa4d7e966bdaa4f04 | ||
impfuzzy | 48:9eRHXc3ncGOKZTc+JyNtSS1jGoZcc6g3GAF57fwwRLP2HN+5TPg:IZXlGjTc+JEtSS1jGoZc9c7RLCSzg |
Network IP location
Signature (54cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | Disables Windows Security features |
danger | Executed a process and injected code into it |
watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Attempts to access Bitcoin/ALTCoin wallets |
watch | Attempts to disable Windows Auto Updates |
watch | Attempts to identify installed AV products by installation directory |
watch | Attempts to stop active services |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Creates an Alternate Data Stream (ADS) |
watch | Detects Avast Antivirus through the presence of a library |
watch | Harvests credentials from local FTP client softwares |
watch | Harvests information related to installed instant messenger clients |
watch | Installs itself for autorun at Windows startup |
watch | Network activity contains more than one unique useragent |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
watch | Uses suspicious command line tools or Windows utilities |
notice | A process attempted to delay the analysis task. |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process utsysc.exe |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Command line console output was observed |
info | One or more processes crashed |
info | Queries for the computername |
info | This executable has a PDB path |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (43cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | detect_Redline_Stealer_V2 | (no description) | binaries (download) |
danger | infoStealer_browser_b_Zero | browser info stealer | binaries (download) |
danger | MALWARE_Win_VT_RedLine | Detects RedLine infostealer | binaries (download) |
danger | RedLine_Stealer_b_Zero | RedLine stealer | binaries (download) |
danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win_Amadey_Zero | Amadey bot | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | hide_executable_file | Hide executable file | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | Javascript_Blob | use blob(Binary Large Objec) javascript | binaries (download) |
notice | ScreenShot | Take ScreenShot | memory |
info | anti_dbg | Checks if being debugged | memory |
info | CAB_file_format | CAB archive file | binaries (download) |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_EXE | (no description) | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | JPEG_Format_Zero | JPEG Format | binaries (download) |
info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | PNG_Format_Zero | PNG Format | binaries (download) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (113cnts) ?
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Dotted Quad Host DLL Request
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey Bot Activity (POST)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO TLS Handshake Failure
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Dotted Quad Host DLL Request
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey Bot Activity (POST)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x439044 Sleep
0x439048 GetTempPathA
0x43904c Wow64RevertWow64FsRedirection
0x439050 GetLastError
0x439054 GetFileAttributesA
0x439058 CreateFileA
0x43905c CloseHandle
0x439060 GetSystemInfo
0x439064 CreateThread
0x439068 GetThreadContext
0x43906c SetCurrentDirectoryA
0x439070 VirtualAllocEx
0x439074 RemoveDirectoryA
0x439078 ReadProcessMemory
0x43907c CreateProcessA
0x439080 CreateDirectoryA
0x439084 SetThreadContext
0x439088 ReadConsoleW
0x43908c SetEndOfFile
0x439090 HeapSize
0x439094 SetFilePointerEx
0x439098 GetModuleHandleA
0x43909c ResumeThread
0x4390a0 GetComputerNameExW
0x4390a4 GetVersionExW
0x4390a8 CreateMutexA
0x4390ac WaitForSingleObject
0x4390b0 PeekNamedPipe
0x4390b4 CreatePipe
0x4390b8 VirtualAlloc
0x4390bc Wow64DisableWow64FsRedirection
0x4390c0 WriteFile
0x4390c4 VirtualFree
0x4390c8 SetHandleInformation
0x4390cc WriteProcessMemory
0x4390d0 GetModuleFileNameA
0x4390d4 GetProcAddress
0x4390d8 ReadFile
0x4390dc GetConsoleMode
0x4390e0 GetConsoleCP
0x4390e4 FlushFileBuffers
0x4390e8 GetProcessHeap
0x4390ec SetEnvironmentVariableW
0x4390f0 FreeEnvironmentStringsW
0x4390f4 GetEnvironmentStringsW
0x4390f8 GetOEMCP
0x4390fc GetACP
0x439100 IsValidCodePage
0x439104 FindNextFileW
0x439108 FindFirstFileExW
0x43910c FindClose
0x439110 GetTimeZoneInformation
0x439114 HeapReAlloc
0x439118 SetStdHandle
0x43911c GetFullPathNameW
0x439120 GetCurrentDirectoryW
0x439124 DeleteFileW
0x439128 EnumSystemLocalesW
0x43912c GetUserDefaultLCID
0x439130 IsValidLocale
0x439134 HeapAlloc
0x439138 HeapFree
0x43913c WideCharToMultiByte
0x439140 EnterCriticalSection
0x439144 LeaveCriticalSection
0x439148 DeleteCriticalSection
0x43914c SetLastError
0x439150 InitializeCriticalSectionAndSpinCount
0x439154 CreateEventW
0x439158 SwitchToThread
0x43915c TlsAlloc
0x439160 TlsGetValue
0x439164 TlsSetValue
0x439168 TlsFree
0x43916c GetSystemTimeAsFileTime
0x439170 GetModuleHandleW
0x439174 EncodePointer
0x439178 DecodePointer
0x43917c MultiByteToWideChar
0x439180 CompareStringW
0x439184 LCMapStringW
0x439188 GetLocaleInfoW
0x43918c GetStringTypeW
0x439190 GetCPInfo
0x439194 SetEvent
0x439198 ResetEvent
0x43919c WaitForSingleObjectEx
0x4391a0 IsDebuggerPresent
0x4391a4 UnhandledExceptionFilter
0x4391a8 SetUnhandledExceptionFilter
0x4391ac GetStartupInfoW
0x4391b0 IsProcessorFeaturePresent
0x4391b4 QueryPerformanceCounter
0x4391b8 GetCurrentProcessId
0x4391bc GetCurrentThreadId
0x4391c0 InitializeSListHead
0x4391c4 GetCurrentProcess
0x4391c8 TerminateProcess
0x4391cc RaiseException
0x4391d0 RtlUnwind
0x4391d4 FreeLibrary
0x4391d8 LoadLibraryExW
0x4391dc ExitProcess
0x4391e0 GetModuleHandleExW
0x4391e4 CreateFileW
0x4391e8 GetDriveTypeW
0x4391ec GetFileInformationByHandle
0x4391f0 GetFileType
0x4391f4 SystemTimeToTzSpecificLocalTime
0x4391f8 FileTimeToSystemTime
0x4391fc GetModuleFileNameW
0x439200 GetStdHandle
0x439204 GetCommandLineA
0x439208 GetCommandLineW
0x43920c WriteConsoleW
USER32.dll
0x439228 GetSystemMetrics
0x43922c ReleaseDC
0x439230 GetDC
GDI32.dll
0x43902c CreateCompatibleBitmap
0x439030 SelectObject
0x439034 CreateCompatibleDC
0x439038 DeleteObject
0x43903c BitBlt
ADVAPI32.dll
0x439000 RegCloseKey
0x439004 RegGetValueA
0x439008 RegQueryValueExA
0x43900c GetSidSubAuthorityCount
0x439010 GetSidSubAuthority
0x439014 GetUserNameA
0x439018 LookupAccountNameA
0x43901c RegSetValueExA
0x439020 RegOpenKeyExA
0x439024 GetSidIdentifierAuthority
SHELL32.dll
0x439214 SHGetFolderPathA
0x439218 ShellExecuteA
0x43921c None
0x439220 SHFileOperationA
WININET.dll
0x439238 HttpOpenRequestA
0x43923c InternetReadFile
0x439240 InternetConnectA
0x439244 HttpSendRequestA
0x439248 InternetCloseHandle
0x43924c InternetOpenA
0x439250 HttpSendRequestExA
0x439254 HttpAddRequestHeadersA
0x439258 HttpEndRequestA
0x43925c InternetOpenW
0x439260 InternetOpenUrlA
0x439264 InternetWriteFile
gdiplus.dll
0x43926c GdipSaveImageToFile
0x439270 GdipGetImageEncodersSize
0x439274 GdipDisposeImage
0x439278 GdipCreateBitmapFromHBITMAP
0x43927c GdipGetImageEncoders
0x439280 GdiplusShutdown
0x439284 GdiplusStartup
EAT(Export Address Table) is none
KERNEL32.dll
0x439044 Sleep
0x439048 GetTempPathA
0x43904c Wow64RevertWow64FsRedirection
0x439050 GetLastError
0x439054 GetFileAttributesA
0x439058 CreateFileA
0x43905c CloseHandle
0x439060 GetSystemInfo
0x439064 CreateThread
0x439068 GetThreadContext
0x43906c SetCurrentDirectoryA
0x439070 VirtualAllocEx
0x439074 RemoveDirectoryA
0x439078 ReadProcessMemory
0x43907c CreateProcessA
0x439080 CreateDirectoryA
0x439084 SetThreadContext
0x439088 ReadConsoleW
0x43908c SetEndOfFile
0x439090 HeapSize
0x439094 SetFilePointerEx
0x439098 GetModuleHandleA
0x43909c ResumeThread
0x4390a0 GetComputerNameExW
0x4390a4 GetVersionExW
0x4390a8 CreateMutexA
0x4390ac WaitForSingleObject
0x4390b0 PeekNamedPipe
0x4390b4 CreatePipe
0x4390b8 VirtualAlloc
0x4390bc Wow64DisableWow64FsRedirection
0x4390c0 WriteFile
0x4390c4 VirtualFree
0x4390c8 SetHandleInformation
0x4390cc WriteProcessMemory
0x4390d0 GetModuleFileNameA
0x4390d4 GetProcAddress
0x4390d8 ReadFile
0x4390dc GetConsoleMode
0x4390e0 GetConsoleCP
0x4390e4 FlushFileBuffers
0x4390e8 GetProcessHeap
0x4390ec SetEnvironmentVariableW
0x4390f0 FreeEnvironmentStringsW
0x4390f4 GetEnvironmentStringsW
0x4390f8 GetOEMCP
0x4390fc GetACP
0x439100 IsValidCodePage
0x439104 FindNextFileW
0x439108 FindFirstFileExW
0x43910c FindClose
0x439110 GetTimeZoneInformation
0x439114 HeapReAlloc
0x439118 SetStdHandle
0x43911c GetFullPathNameW
0x439120 GetCurrentDirectoryW
0x439124 DeleteFileW
0x439128 EnumSystemLocalesW
0x43912c GetUserDefaultLCID
0x439130 IsValidLocale
0x439134 HeapAlloc
0x439138 HeapFree
0x43913c WideCharToMultiByte
0x439140 EnterCriticalSection
0x439144 LeaveCriticalSection
0x439148 DeleteCriticalSection
0x43914c SetLastError
0x439150 InitializeCriticalSectionAndSpinCount
0x439154 CreateEventW
0x439158 SwitchToThread
0x43915c TlsAlloc
0x439160 TlsGetValue
0x439164 TlsSetValue
0x439168 TlsFree
0x43916c GetSystemTimeAsFileTime
0x439170 GetModuleHandleW
0x439174 EncodePointer
0x439178 DecodePointer
0x43917c MultiByteToWideChar
0x439180 CompareStringW
0x439184 LCMapStringW
0x439188 GetLocaleInfoW
0x43918c GetStringTypeW
0x439190 GetCPInfo
0x439194 SetEvent
0x439198 ResetEvent
0x43919c WaitForSingleObjectEx
0x4391a0 IsDebuggerPresent
0x4391a4 UnhandledExceptionFilter
0x4391a8 SetUnhandledExceptionFilter
0x4391ac GetStartupInfoW
0x4391b0 IsProcessorFeaturePresent
0x4391b4 QueryPerformanceCounter
0x4391b8 GetCurrentProcessId
0x4391bc GetCurrentThreadId
0x4391c0 InitializeSListHead
0x4391c4 GetCurrentProcess
0x4391c8 TerminateProcess
0x4391cc RaiseException
0x4391d0 RtlUnwind
0x4391d4 FreeLibrary
0x4391d8 LoadLibraryExW
0x4391dc ExitProcess
0x4391e0 GetModuleHandleExW
0x4391e4 CreateFileW
0x4391e8 GetDriveTypeW
0x4391ec GetFileInformationByHandle
0x4391f0 GetFileType
0x4391f4 SystemTimeToTzSpecificLocalTime
0x4391f8 FileTimeToSystemTime
0x4391fc GetModuleFileNameW
0x439200 GetStdHandle
0x439204 GetCommandLineA
0x439208 GetCommandLineW
0x43920c WriteConsoleW
USER32.dll
0x439228 GetSystemMetrics
0x43922c ReleaseDC
0x439230 GetDC
GDI32.dll
0x43902c CreateCompatibleBitmap
0x439030 SelectObject
0x439034 CreateCompatibleDC
0x439038 DeleteObject
0x43903c BitBlt
ADVAPI32.dll
0x439000 RegCloseKey
0x439004 RegGetValueA
0x439008 RegQueryValueExA
0x43900c GetSidSubAuthorityCount
0x439010 GetSidSubAuthority
0x439014 GetUserNameA
0x439018 LookupAccountNameA
0x43901c RegSetValueExA
0x439020 RegOpenKeyExA
0x439024 GetSidIdentifierAuthority
SHELL32.dll
0x439214 SHGetFolderPathA
0x439218 ShellExecuteA
0x43921c None
0x439220 SHFileOperationA
WININET.dll
0x439238 HttpOpenRequestA
0x43923c InternetReadFile
0x439240 InternetConnectA
0x439244 HttpSendRequestA
0x439248 InternetCloseHandle
0x43924c InternetOpenA
0x439250 HttpSendRequestExA
0x439254 HttpAddRequestHeadersA
0x439258 HttpEndRequestA
0x43925c InternetOpenW
0x439260 InternetOpenUrlA
0x439264 InternetWriteFile
gdiplus.dll
0x43926c GdipSaveImageToFile
0x439270 GdipGetImageEncodersSize
0x439274 GdipDisposeImage
0x439278 GdipCreateBitmapFromHBITMAP
0x43927c GdipGetImageEncoders
0x439280 GdiplusShutdown
0x439284 GdiplusStartup
EAT(Export Address Table) is none