popup

Report - amad.exe

.NET framework(MSIL) PE32 PE File .NET EXE
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.03.13 07:53 Machine s1_win7_x6403
Filename amad.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
6
 Behavior Score
5.0
ZERO API file : malware
VT API (file)
md5 221bde86c555118e43df5fb971190659
sha256 6198e8da287ceee18021779072ba732a0fd3c63b8aa367e823c0f4fc3a3c4249
ssdeep 49152:tZr3MEA+T3O/QYAZcEzViaxSDMGXbigsbDKsNaIfUQ3t7H:PAf+T7TFMwGXbigsbDHVff
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (13cnts)

Level Description
watch Attempts to identify installed AV products by installation directory
watch Installs itself for autorun at Windows startup
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Uses Windows APIs to generate a cryptographic key

Rules (4cnts)

Level Name Description Collection
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (upload)
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://c-cdns.top/g8VqD9fmdE/index.php
whois
BG Sharcom Ltd. 87.120.84.156 clean
c-cdns.top
whois
BG Sharcom Ltd. 87.120.84.156 clean
87.120.84.156
whois
BG Sharcom Ltd. 87.120.84.156 clean

Suricata ids

ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure