popup

Report - face.exe

Amadey Generic Malware NSIS Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE32 PE File PNG Format OS Processor Check DLL .NET EXE ZIP Format MZP Format JPEG Format BMP Format CHM Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.01.23 08:04 Machine s1_win7_x6403
Filename face.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
25.8
ZERO API file : malware
VT API (file)
md5 b367a4da8177d0be7638599aad1caa9b
sha256 3b1c6930afaa617da6457a8bfca580e8739ef04301599e9e54f8f0bcfb194355
ssdeep 24576:jBLATEOrY43Fq2Be8Duj3UWn6wQLBaWnBCqtAV8nQ3v0lHGfYED:JAR1uTUHlLBaWntSeQcHGf
imphash 5ab723dc8d5af21b79dc301ed6a56a64
impfuzzy 12:c2cDvZGqA9AwDXRgKQcOx/0yNCPsKAJSn:clDRdWAwDOdxCTn
  Network IP location

Signature (55cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Disables Windows Security features
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Connects to an IRC server
watch Creates a slightly modified copy of itself
watch Deletes a large number of files from the system indicative of ransomware
watch Deletes executed files from disk
watch Detects VirtualBox through the presence of a file
watch Drops 159 unknown file mime types indicative of ransomware writing encrypted files back to disk
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice An executable file was downloaded by the processes face.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (38cnts)

Level Name Description Collection
danger Win_Amadey_Zero Amadey bot binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning NSIS_Installer Null Soft Installer binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info anti_dbg Checks if being debugged memory
info bmp_file_format bmp file format binaries (download)
info CAB_file_format CAB archive file binaries (download)
info chm_file_format chm file format binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info DllRegisterServer_Zero execute regsvr32.exe binaries (download)
info docx Word 2007 file format detection binaries (download)
info icon_file_format icon file format binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info wget_command wget command binaries (download)
info zip_file_format ZIP file format binaries (download)

Network (45cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.68/theme/Plugins/clip64.dll
whois
Unknown 185.215.113.68 38951 malware
http://185.172.128.109/syncUpd.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.109 malware
http://109.107.182.3/cost/vimu.exe
whois
RU Teleport-TV Ltd 109.107.182.3 39038 malware
http://109.107.182.3/cost/networ.exe
whois
RU Teleport-TV Ltd 109.107.182.3 mailcious
http://185.215.113.68/theme/Plugins/cred64.dll
whois
Unknown 185.215.113.68 38948 malware
http://185.172.128.19/latestrocki.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.19 malware
http://109.107.182.3/cost/nika.exe
whois
RU Teleport-TV Ltd 109.107.182.3 39037 malware
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US AKAMAI-AS 23.32.56.72 clean
http://87.251.77.166/SetupPowerGREPDemo.exe
whois
RU Hostkey B.v. 87.251.77.166 mailcious
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
whois
RU OOO Nadym Svyaz Service 185.172.128.90 38981 mailcious
http://109.107.182.3/cost/go.exe
whois
RU Teleport-TV Ltd 109.107.182.3 39025 mailcious
http://185.215.113.68/mine/amer.exe
whois
Unknown 185.215.113.68 39024 malware
http://185.215.113.68/theme/index.php
whois
Unknown 185.215.113.68 38935 mailcious
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp19ppAsRv2o6lyozUloXtl2vtHTQ_Z5hQtp6-dWz_Yb_d5Sog8ygYecStquNLy1xgWdXfMz&passive=1209600&flowName=WebLite
whois
US GOOGLE 173.194.174.84 clean
https://www.google.com/favicon.ico
whois
US GOOGLE 142.251.220.68 clean
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
whois
US GOOGLE 216.58.200.227 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 clean
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
whois
US GOOGLE 173.194.174.84 clean
https://accounts.google.com/_/bscframe
whois
US GOOGLE 173.194.174.84 clean
https://accounts.google.com/
whois
US GOOGLE 173.194.174.84 clean
https://accounts.google.com/generate_204?dNjB8g
whois
US GOOGLE 173.194.174.84 clean
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0prvDtaojbUs_fFiN9b9CD7hkEJ1nHDhTfd9vIUqM3YxyI4uMpGixUZhaFGRKzHsJvSPCU
whois
US GOOGLE 173.194.174.84 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
www.google.com
whois
US GOOGLE 142.250.76.132 clean
ssl.gstatic.com
whois
US GOOGLE 142.250.207.99 clean
www.fleefight.it
whois
RO International Olisat S.R.L. 94.177.48.37 malware
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
i.alie3ksgaa.com
whois
HK HK Kwaifong Group Limited 154.92.15.189 mailcious
accounts.google.com
whois
US GOOGLE 64.233.188.84 clean
193.233.132.62
whois
RU JSC Redcom-lnternet 193.233.132.62 mailcious
216.58.200.227
whois
US GOOGLE 216.58.200.227 clean
94.177.48.37
whois
RO International Olisat S.R.L. 94.177.48.37 malware
87.251.77.166
whois
RU Hostkey B.v. 87.251.77.166 mailcious
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
173.194.174.84
whois
US GOOGLE 173.194.174.84 clean
185.215.113.68
whois
Unknown 185.215.113.68 malware
185.172.128.19
whois
RU OOO Nadym Svyaz Service 185.172.128.19 mailcious
185.172.128.90
whois
RU OOO Nadym Svyaz Service 185.172.128.90 mailcious
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
142.251.220.68
whois
US GOOGLE 142.251.220.68 clean
61.111.58.35
whois
KR LG DACOM Corporation 61.111.58.35 malware
185.172.128.53
whois
RU OOO Nadym Svyaz Service 185.172.128.53 malware
154.92.15.189
whois
HK HK Kwaifong Group Limited 154.92.15.189 mailcious
185.172.128.109
whois
RU OOO Nadym Svyaz Service 185.172.128.109 malware
109.107.182.3
whois
RU Teleport-TV Ltd 109.107.182.3 mailcious

Suricata ids

ET MALWARE [ANY.RUN] RisePro TCP (Token)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET INFO Packed Executable Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Amadey Bot Activity (POST)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x84513c VirtualAlloc
 0x845140 VirtualFree
 0x845144 GetModuleHandleA
 0x845148 GetProcAddress
 0x84514c ExitProcess
 0x845150 LoadLibraryA
user32.dll
 0x845158 MessageBoxA
advapi32.dll
 0x845160 RegCloseKey
oleaut32.dll
 0x845168 SysFreeString
gdi32.dll
 0x845170 CreateFontA
shell32.dll
 0x845178 ShellExecuteA
version.dll
 0x845180 GetFileVersionInfoA
ole32.dll
 0x845188 CoInitializeEx
ws2_32.dll
 0x845190 WSAStartup
crypt32.dll
 0x845198 CryptUnprotectData
shlwapi.dll
 0x8451a0 PathFindExtensionA
gdiplus.dll
 0x8451a8 GdiplusStartup
setupapi.dll
 0x8451b0 SetupDiEnumDeviceInterfaces
ntdll.dll
 0x8451b8 RtlUnicodeStringToAnsiString

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure