ScreenShot
| Created | 2024.06.27 10:24 | Machine | s1_win7_x6401 |
| Filename | ama.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 63 detected (AIDetectMalware, Deyma, malicious, high confidence, score, Artemis, GenericKD, Unsafe, Kryptik, Vxtz, Genus, Whispergate, GenKryptik, GTBH, DropperX, Midie, kisjwz, ShellCodeRunner, CLASSIC, aazir, MulDrop25, AMADEY, YXEBTZ, Detected, ai score=100, Sabsik, Malware@#9hninsk78puu, ABTrojan, RHAI, ZexaE, yv2@aOtiiAmi, Chgt, Gencirc, Static AI, Malicious PE, susgen, confidence, 100%) | ||
| md5 | 04055601abbd16ec6cc9e02450c19381 | ||
| sha256 | b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13 | ||
| ssdeep | 24576:HhSIBky91oHhqyp54SWIbts8MZHq9NGCzgNgpiZtsyCx+OO9OKfNgd5H4+3:B3J91qhDp5HWAsF28ZtsJsOO9WH4g | ||
| imphash | 8639bc0a8f788c11ad7a38216a23e462 | ||
| impfuzzy | 24:DAIJFiNGbDo4lfPteS1GMndlJeDc+plz9LoEOovbOr4ZHu93vB3l1:0IJF42fPteS1xic+p9Jc35BV1 | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Drops an executable to the user AppData folder |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x4cf130 TranslateMessage
0x4cf134 KillTimer
0x4cf138 DispatchMessageW
0x4cf13c GetMessageW
0x4cf140 SetTimer
KERNEL32.dll
0x4cf000 TlsFree
0x4cf004 WriteConsoleW
0x4cf008 CloseHandle
0x4cf00c CreateFileW
0x4cf010 GetDiskFreeSpaceExA
0x4cf014 GetTempFileNameW
0x4cf018 HeapAlloc
0x4cf01c HeapFree
0x4cf020 GetCurrentProcess
0x4cf024 VirtualProtect
0x4cf028 GetModuleHandleA
0x4cf02c GetProcAddress
0x4cf030 LoadLibraryA
0x4cf034 lstrcmpiA
0x4cf038 lstrcpyW
0x4cf03c lstrlenA
0x4cf040 lstrlenW
0x4cf044 MultiByteToWideChar
0x4cf048 FreeConsole
0x4cf04c UnhandledExceptionFilter
0x4cf050 SetUnhandledExceptionFilter
0x4cf054 TerminateProcess
0x4cf058 IsProcessorFeaturePresent
0x4cf05c QueryPerformanceCounter
0x4cf060 GetCurrentProcessId
0x4cf064 GetCurrentThreadId
0x4cf068 GetSystemTimeAsFileTime
0x4cf06c InitializeSListHead
0x4cf070 IsDebuggerPresent
0x4cf074 GetStartupInfoW
0x4cf078 GetModuleHandleW
0x4cf07c SetFilePointerEx
0x4cf080 GetConsoleMode
0x4cf084 RaiseException
0x4cf088 GetLastError
0x4cf08c SetLastError
0x4cf090 EncodePointer
0x4cf094 EnterCriticalSection
0x4cf098 LeaveCriticalSection
0x4cf09c DeleteCriticalSection
0x4cf0a0 InitializeCriticalSectionAndSpinCount
0x4cf0a4 TlsAlloc
0x4cf0a8 TlsGetValue
0x4cf0ac TlsSetValue
0x4cf0b0 DecodePointer
0x4cf0b4 FreeLibrary
0x4cf0b8 LoadLibraryExW
0x4cf0bc GetStdHandle
0x4cf0c0 WriteFile
0x4cf0c4 GetModuleFileNameW
0x4cf0c8 ExitProcess
0x4cf0cc GetModuleHandleExW
0x4cf0d0 GetCommandLineA
0x4cf0d4 GetCommandLineW
0x4cf0d8 FindClose
0x4cf0dc FindFirstFileExW
0x4cf0e0 FindNextFileW
0x4cf0e4 IsValidCodePage
0x4cf0e8 GetACP
0x4cf0ec GetOEMCP
0x4cf0f0 GetCPInfo
0x4cf0f4 WideCharToMultiByte
0x4cf0f8 GetEnvironmentStringsW
0x4cf0fc FreeEnvironmentStringsW
0x4cf100 SetEnvironmentVariableW
0x4cf104 SetStdHandle
0x4cf108 GetFileType
0x4cf10c GetStringTypeW
0x4cf110 CompareStringW
0x4cf114 LCMapStringW
0x4cf118 GetProcessHeap
0x4cf11c HeapSize
0x4cf120 HeapReAlloc
0x4cf124 FlushFileBuffers
0x4cf128 GetConsoleOutputCP
ntdll.dll
0x4cf148 RtlUnwind
EAT(Export Address Table) is none
USER32.dll
0x4cf130 TranslateMessage
0x4cf134 KillTimer
0x4cf138 DispatchMessageW
0x4cf13c GetMessageW
0x4cf140 SetTimer
KERNEL32.dll
0x4cf000 TlsFree
0x4cf004 WriteConsoleW
0x4cf008 CloseHandle
0x4cf00c CreateFileW
0x4cf010 GetDiskFreeSpaceExA
0x4cf014 GetTempFileNameW
0x4cf018 HeapAlloc
0x4cf01c HeapFree
0x4cf020 GetCurrentProcess
0x4cf024 VirtualProtect
0x4cf028 GetModuleHandleA
0x4cf02c GetProcAddress
0x4cf030 LoadLibraryA
0x4cf034 lstrcmpiA
0x4cf038 lstrcpyW
0x4cf03c lstrlenA
0x4cf040 lstrlenW
0x4cf044 MultiByteToWideChar
0x4cf048 FreeConsole
0x4cf04c UnhandledExceptionFilter
0x4cf050 SetUnhandledExceptionFilter
0x4cf054 TerminateProcess
0x4cf058 IsProcessorFeaturePresent
0x4cf05c QueryPerformanceCounter
0x4cf060 GetCurrentProcessId
0x4cf064 GetCurrentThreadId
0x4cf068 GetSystemTimeAsFileTime
0x4cf06c InitializeSListHead
0x4cf070 IsDebuggerPresent
0x4cf074 GetStartupInfoW
0x4cf078 GetModuleHandleW
0x4cf07c SetFilePointerEx
0x4cf080 GetConsoleMode
0x4cf084 RaiseException
0x4cf088 GetLastError
0x4cf08c SetLastError
0x4cf090 EncodePointer
0x4cf094 EnterCriticalSection
0x4cf098 LeaveCriticalSection
0x4cf09c DeleteCriticalSection
0x4cf0a0 InitializeCriticalSectionAndSpinCount
0x4cf0a4 TlsAlloc
0x4cf0a8 TlsGetValue
0x4cf0ac TlsSetValue
0x4cf0b0 DecodePointer
0x4cf0b4 FreeLibrary
0x4cf0b8 LoadLibraryExW
0x4cf0bc GetStdHandle
0x4cf0c0 WriteFile
0x4cf0c4 GetModuleFileNameW
0x4cf0c8 ExitProcess
0x4cf0cc GetModuleHandleExW
0x4cf0d0 GetCommandLineA
0x4cf0d4 GetCommandLineW
0x4cf0d8 FindClose
0x4cf0dc FindFirstFileExW
0x4cf0e0 FindNextFileW
0x4cf0e4 IsValidCodePage
0x4cf0e8 GetACP
0x4cf0ec GetOEMCP
0x4cf0f0 GetCPInfo
0x4cf0f4 WideCharToMultiByte
0x4cf0f8 GetEnvironmentStringsW
0x4cf0fc FreeEnvironmentStringsW
0x4cf100 SetEnvironmentVariableW
0x4cf104 SetStdHandle
0x4cf108 GetFileType
0x4cf10c GetStringTypeW
0x4cf110 CompareStringW
0x4cf114 LCMapStringW
0x4cf118 GetProcessHeap
0x4cf11c HeapSize
0x4cf120 HeapReAlloc
0x4cf124 FlushFileBuffers
0x4cf128 GetConsoleOutputCP
ntdll.dll
0x4cf148 RtlUnwind
EAT(Export Address Table) is none