Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.08.07 10:04	Machine	s1_win7_x6403
Filename	amadey.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	7	Behavior Score	13.6
ZERO API	file : malware
VT API (file)	52 detected (AIDetectMalware, Amadey, malicious, high confidence, score, Zusy, Unsafe, Save, Attribute, HighConfidence, FCND, CLOUD, Static AI, Malicious PE, Detected, AGEN, ai score=88, Eldorado, ZexaF, quW@aymJhBgi, R002C0DH624, Pgil, Genetic, confidence, 100%)
md5	107c3b33e05d1d569cccc2052e56055e
sha256	6338b823d5172f0321814534c1d7aff08a60132c62de48c2752c2c7dfc191228
ssdeep	6144:og7RU92ushCQjrnlNTnbWRp1MHuqbMlAOxyYizl7:mTshCQjrnlluMHuqberyT7
imphash	dc5e346c01606ee3d3aee4549b4acd39
impfuzzy	48:OeRHXr2ncGOac+JbAtSS1jGoZcc6g3GAF57fwwRLP2HN+5TPg:vZXlGLc+JMtSS1jGoZc9c7RLCSzg

Network IP location

Signature (29cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 52 AntiVirus engines on VirusTotal as malicious
watch	Attempts to access Bitcoin/ALTCoin wallets
watch	Attempts to identify installed AV products by installation directory
watch	Communicates with host for which no DNS query was performed
watch	Harvests credentials from local email clients
watch	Harvests credentials from local FTP client softwares
watch	Harvests information related to installed instant messenger clients
watch	Installs itself for autorun at Windows startup
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process utsysc.exe
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	Sends data using the HTTP POST Method
notice	Steals private information from local Internet browsers
notice	Uses Windows utilities for basic Windows functionality
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Queries for the computername
info	This executable has a PDB path
info	Tries to locate where the browsers are installed

Rules (18cnts)

Level	Name	Description	Collection
danger	Win_Amadey_Zero	Amadey bot	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	JPEG_Format_Zero	JPEG Format	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (33cnts) ?

Request	ASN Co	IP4	ZERO ?
http://80.66.75.214/g8djmsaxA/Plugins/cred64.dll whois	Alexander Valerevich Mokhonko	80.66.75.214	clean
http://80.66.75.214/g8djmsaxA/Plugins/clip64.dll whois	Alexander Valerevich Mokhonko	80.66.75.214	clean
http://80.66.75.214/g8djmsaxA/index.php?scr=1 whois	Alexander Valerevich Mokhonko	80.66.75.214	clean
http://80.66.75.214/g8djmsaxA/index.php whois	Alexander Valerevich Mokhonko	80.66.75.214	clean
197.234.223.180 whois	Spacetel	197.234.223.180	clean
77.246.158.216 whois	JSC The First	77.246.158.216	clean
157.97.109.159 whois	Profitbricks GmbH	157.97.109.159	clean
83.243.47.17 whois	meerfarbig GmbH & Co. KG	83.243.47.17	clean
118.25.101.87 whois	Shenzhen Tencent Computer Systems Company Limited	118.25.101.87	clean
47.99.144.17 whois	Hangzhou Alibaba Advertising Co.,Ltd.	47.99.144.17	clean
79.124.17.242 whois	Telepoint Ltd	79.124.17.242	clean
37.16.7.184 whois	Mijndomein Hosting B.V.	37.16.7.184	clean
34.43.67.154 whois		34.43.67.154	clean
162.0.211.158 whois	ACP	162.0.211.158	clean
213.100.160.101 whois	TELE2	213.100.160.101	clean
110.42.3.95 whois	NINGBO, ZHEJIANG Province, P.R.China.	110.42.3.95	clean
80.66.75.214 whois	Alexander Valerevich Mokhonko	80.66.75.214	malware
63.134.234.92 whois	CRYSTALTECH	63.134.234.92	clean
146.148.25.153 whois	GOOGLE	146.148.25.153	clean
116.202.81.93 whois	Hetzner Online GmbH	116.202.81.93	clean
125.229.77.252 whois	Data Communication Business Group	125.229.77.252	clean
182.92.155.50 whois	Hangzhou Alibaba Advertising Co.,Ltd.	182.92.155.50	clean
38.249.8.144 whois	COGENT-174	38.249.8.144	clean
38.249.14.69 whois	COGENT-174	38.249.14.69	clean
119.176.96.94 whois	CHINA UNICOM China169 Backbone	119.176.96.94	clean
184.154.46.96 whois	SINGLEHOP-LLC	184.154.46.96	clean
213.199.32.146 whois		213.199.32.146	clean
79.96.222.94 whois	home.pl S.A.	79.96.222.94	clean
178.17.168.102 whois	I.C.S. Trabia-Network S.R.L.	178.17.168.102	clean
155.159.241.238 whois	ASLINE LIMITED	155.159.241.238	clean
87.230.85.251 whois	Host Europe GmbH	87.230.85.251	clean
162.240.68.86 whois	UNIFIEDLAYER-AS-1	162.240.68.86	clean
68.183.179.133 whois	DIGITALOCEAN-ASN	68.183.179.133	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x430044 Sleep
0x430048 GetTempPathA
0x43004c GetLastError
0x430050 GetFileAttributesA
0x430054 CreateFileA
0x430058 CloseHandle
0x43005c GetSystemInfo
0x430060 CreateThread
0x430064 GetThreadContext
0x430068 SetCurrentDirectoryA
0x43006c VirtualAllocEx
0x430070 RemoveDirectoryA
0x430074 ReadProcessMemory
0x430078 CreateProcessA
0x43007c CreateDirectoryA
0x430080 SetThreadContext
0x430084 ReadConsoleW
0x430088 SetEndOfFile
0x43008c HeapSize
0x430090 SetFilePointerEx
0x430094 GetModuleHandleA
0x430098 ResumeThread
0x43009c GetComputerNameExW
0x4300a0 GetVersionExW
0x4300a4 CreateMutexA
0x4300a8 PeekNamedPipe
0x4300ac VirtualAlloc
0x4300b0 WriteFile
0x4300b4 VirtualFree
0x4300b8 WriteProcessMemory
0x4300bc GetModuleFileNameA
0x4300c0 GetProcAddress
0x4300c4 ReadFile
0x4300c8 GetConsoleMode
0x4300cc GetConsoleCP
0x4300d0 FlushFileBuffers
0x4300d4 GetProcessHeap
0x4300d8 SetEnvironmentVariableW
0x4300dc FreeEnvironmentStringsW
0x4300e0 GetEnvironmentStringsW
0x4300e4 GetOEMCP
0x4300e8 GetACP
0x4300ec IsValidCodePage
0x4300f0 FindNextFileW
0x4300f4 FindFirstFileExW
0x4300f8 FindClose
0x4300fc GetTimeZoneInformation
0x430100 HeapReAlloc
0x430104 SetStdHandle
0x430108 GetFullPathNameW
0x43010c GetCurrentDirectoryW
0x430110 DeleteFileW
0x430114 HeapAlloc
0x430118 HeapFree
0x43011c WideCharToMultiByte
0x430120 EnterCriticalSection
0x430124 LeaveCriticalSection
0x430128 DeleteCriticalSection
0x43012c SetLastError
0x430130 InitializeCriticalSectionAndSpinCount
0x430134 CreateEventW
0x430138 TlsAlloc
0x43013c TlsGetValue
0x430140 TlsSetValue
0x430144 TlsFree
0x430148 GetSystemTimeAsFileTime
0x43014c GetModuleHandleW
0x430150 EncodePointer
0x430154 DecodePointer
0x430158 MultiByteToWideChar
0x43015c CompareStringW
0x430160 LCMapStringW
0x430164 GetStringTypeW
0x430168 GetCPInfo
0x43016c SetEvent
0x430170 ResetEvent
0x430174 WaitForSingleObjectEx
0x430178 IsDebuggerPresent
0x43017c UnhandledExceptionFilter
0x430180 SetUnhandledExceptionFilter
0x430184 GetStartupInfoW
0x430188 IsProcessorFeaturePresent
0x43018c QueryPerformanceCounter
0x430190 GetCurrentProcessId
0x430194 GetCurrentThreadId
0x430198 InitializeSListHead
0x43019c GetCurrentProcess
0x4301a0 TerminateProcess
0x4301a4 RaiseException
0x4301a8 RtlUnwind
0x4301ac FreeLibrary
0x4301b0 LoadLibraryExW
0x4301b4 ExitProcess
0x4301b8 GetModuleHandleExW
0x4301bc CreateFileW
0x4301c0 GetDriveTypeW
0x4301c4 GetFileInformationByHandle
0x4301c8 GetFileType
0x4301cc SystemTimeToTzSpecificLocalTime
0x4301d0 FileTimeToSystemTime
0x4301d4 GetModuleFileNameW
0x4301d8 GetStdHandle
0x4301dc GetCommandLineA
0x4301e0 GetCommandLineW
0x4301e4 WriteConsoleW
USER32.dll
0x430200 GetSystemMetrics
0x430204 ReleaseDC
0x430208 GetDC
GDI32.dll
0x43002c CreateCompatibleBitmap
0x430030 SelectObject
0x430034 CreateCompatibleDC
0x430038 DeleteObject
0x43003c BitBlt
ADVAPI32.dll
0x430000 RegCloseKey
0x430004 RegGetValueA
0x430008 RegQueryValueExA
0x43000c GetSidSubAuthorityCount
0x430010 GetSidSubAuthority
0x430014 GetUserNameA
0x430018 LookupAccountNameA
0x43001c RegSetValueExA
0x430020 RegOpenKeyExA
0x430024 GetSidIdentifierAuthority
SHELL32.dll
0x4301ec SHGetFolderPathA
0x4301f0 ShellExecuteA
0x4301f4 None
0x4301f8 SHFileOperationA
WININET.dll
0x430210 HttpOpenRequestA
0x430214 InternetReadFile
0x430218 InternetConnectA
0x43021c HttpSendRequestA
0x430220 InternetCloseHandle
0x430224 InternetOpenA
0x430228 HttpSendRequestExA
0x43022c HttpAddRequestHeadersA
0x430230 HttpEndRequestA
0x430234 InternetOpenW
0x430238 InternetOpenUrlA
0x43023c InternetWriteFile
gdiplus.dll
0x430244 GdipSaveImageToFile
0x430248 GdipGetImageEncodersSize
0x43024c GdipDisposeImage
0x430250 GdipCreateBitmapFromHBITMAP
0x430254 GdipGetImageEncoders
0x430258 GdiplusShutdown
0x43025c GdiplusStartup

EAT(Export Address Table) is none

Report - amadey.exe

Signature (29cnts)

Rules (18cnts)

Network (33cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure