ScreenShot
| Created | 2024.08.11 15:03 | Machine | s1_win7_x6401 |
| Filename | newalp.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 64 detected (AIDetectMalware, Amadey, Windows, Threat, Malicious, score, Doina, Unsafe, Vvpq, Delf, Attribute, HighConfidence, Artemis, DropperX, Deyma, 7rIQ0Y4iUJR, AGEN, MulDrop28, YXEHFZ, Real Protect, high, Static AI, Malicious PE, Detected, ai score=87, HeurC, KVMH017, Multiverze, Eldorado, R659224, BScope, Chgt, Gencirc, dJyHYA0DiZA, susgen, confidence) | ||
| md5 | 6093bb59e7707afe20ca2d9b80327b49 | ||
| sha256 | 3acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3 | ||
| ssdeep | 12288:5HF6/qNlNVOOLNke4CcabJBP5u2uP/QpGdz1LoI:k0lNVOWNdpbLcQpsVoI | ||
| imphash | be0c2c50a71730b54474cda1c9b2928c | ||
| impfuzzy | 96:QXYDGKnh5Edcg+JU0tWmuX17fysX+kXpEi0ZRLnW:QZM8hF7fHOk5EbO | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 64 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process hkbsse.exe |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (12cnts) ?
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x450030 CreateThread
0x450034 GetLocalTime
0x450038 GetThreadContext
0x45003c GetProcAddress
0x450040 VirtualAllocEx
0x450044 RemoveDirectoryA
0x450048 ReadProcessMemory
0x45004c GetSystemInfo
0x450050 CreateDirectoryA
0x450054 SetThreadContext
0x450058 SetEndOfFile
0x45005c DecodePointer
0x450060 ReadConsoleW
0x450064 HeapReAlloc
0x450068 HeapSize
0x45006c CloseHandle
0x450070 CreateFileA
0x450074 GetFileAttributesA
0x450078 GetLastError
0x45007c Sleep
0x450080 GetTempPathA
0x450084 SetCurrentDirectoryA
0x450088 GetModuleHandleA
0x45008c ResumeThread
0x450090 GetComputerNameExW
0x450094 GetVersionExW
0x450098 CreateMutexA
0x45009c VirtualAlloc
0x4500a0 WriteFile
0x4500a4 VirtualFree
0x4500a8 WriteProcessMemory
0x4500ac GetModuleFileNameA
0x4500b0 CreateProcessA
0x4500b4 ReadFile
0x4500b8 GetTimeZoneInformation
0x4500bc GetConsoleMode
0x4500c0 GetConsoleCP
0x4500c4 FlushFileBuffers
0x4500c8 GetStringTypeW
0x4500cc GetProcessHeap
0x4500d0 SetEnvironmentVariableW
0x4500d4 FreeEnvironmentStringsW
0x4500d8 GetEnvironmentStringsW
0x4500dc GetCPInfo
0x4500e0 GetOEMCP
0x4500e4 GetACP
0x4500e8 IsValidCodePage
0x4500ec FindNextFileW
0x4500f0 FindFirstFileExW
0x4500f4 FindClose
0x4500f8 SetFilePointerEx
0x4500fc SetStdHandle
0x450100 GetFullPathNameW
0x450104 GetCurrentDirectoryW
0x450108 DeleteFileW
0x45010c LCMapStringW
0x450110 CompareStringW
0x450114 MultiByteToWideChar
0x450118 HeapAlloc
0x45011c HeapFree
0x450120 GetCommandLineW
0x450124 GetCommandLineA
0x450128 GetStdHandle
0x45012c FileTimeToSystemTime
0x450130 SystemTimeToTzSpecificLocalTime
0x450134 PeekNamedPipe
0x450138 GetFileType
0x45013c GetFileInformationByHandle
0x450140 GetDriveTypeW
0x450144 RaiseException
0x450148 GetCurrentThreadId
0x45014c IsProcessorFeaturePresent
0x450150 QueueUserWorkItem
0x450154 GetModuleHandleExW
0x450158 FormatMessageW
0x45015c WideCharToMultiByte
0x450160 EnterCriticalSection
0x450164 LeaveCriticalSection
0x450168 TryEnterCriticalSection
0x45016c DeleteCriticalSection
0x450170 SetLastError
0x450174 InitializeCriticalSectionAndSpinCount
0x450178 CreateEventW
0x45017c SwitchToThread
0x450180 TlsAlloc
0x450184 TlsGetValue
0x450188 TlsSetValue
0x45018c TlsFree
0x450190 GetSystemTimeAsFileTime
0x450194 GetTickCount
0x450198 GetModuleHandleW
0x45019c WaitForSingleObjectEx
0x4501a0 QueryPerformanceCounter
0x4501a4 SetEvent
0x4501a8 ResetEvent
0x4501ac UnhandledExceptionFilter
0x4501b0 SetUnhandledExceptionFilter
0x4501b4 GetCurrentProcess
0x4501b8 TerminateProcess
0x4501bc IsDebuggerPresent
0x4501c0 GetStartupInfoW
0x4501c4 GetCurrentProcessId
0x4501c8 InitializeSListHead
0x4501cc CreateTimerQueue
0x4501d0 SignalObjectAndWait
0x4501d4 SetThreadPriority
0x4501d8 GetThreadPriority
0x4501dc GetLogicalProcessorInformation
0x4501e0 CreateTimerQueueTimer
0x4501e4 ChangeTimerQueueTimer
0x4501e8 DeleteTimerQueueTimer
0x4501ec GetNumaHighestNodeNumber
0x4501f0 GetProcessAffinityMask
0x4501f4 SetThreadAffinityMask
0x4501f8 RegisterWaitForSingleObject
0x4501fc UnregisterWait
0x450200 EncodePointer
0x450204 GetCurrentThread
0x450208 GetThreadTimes
0x45020c FreeLibrary
0x450210 FreeLibraryAndExitThread
0x450214 GetModuleFileNameW
0x450218 LoadLibraryExW
0x45021c VirtualProtect
0x450220 DuplicateHandle
0x450224 ReleaseSemaphore
0x450228 InterlockedPopEntrySList
0x45022c InterlockedPushEntrySList
0x450230 InterlockedFlushSList
0x450234 QueryDepthSList
0x450238 UnregisterWaitEx
0x45023c LoadLibraryW
0x450240 RtlUnwind
0x450244 ExitProcess
0x450248 CreateFileW
0x45024c WriteConsoleW
ADVAPI32.dll
0x450000 RegCloseKey
0x450004 RegQueryInfoKeyW
0x450008 RegQueryValueExA
0x45000c GetSidSubAuthorityCount
0x450010 GetSidSubAuthority
0x450014 GetUserNameA
0x450018 LookupAccountNameA
0x45001c RegSetValueExA
0x450020 RegOpenKeyExA
0x450024 RegEnumValueW
0x450028 GetSidIdentifierAuthority
SHELL32.dll
0x450254 SHGetFolderPathA
0x450258 ShellExecuteA
0x45025c None
0x450260 SHFileOperationA
ole32.dll
0x4502b8 CoUninitialize
0x4502bc CoCreateInstance
0x4502c0 CoInitialize
WININET.dll
0x450268 HttpOpenRequestA
0x45026c InternetOpenUrlA
0x450270 InternetOpenW
0x450274 InternetOpenA
0x450278 InternetCloseHandle
0x45027c HttpSendRequestA
0x450280 InternetConnectA
0x450284 InternetReadFile
WS2_32.dll
0x45028c closesocket
0x450290 inet_pton
0x450294 getaddrinfo
0x450298 WSAStartup
0x45029c send
0x4502a0 socket
0x4502a4 connect
0x4502a8 recv
0x4502ac htons
0x4502b0 freeaddrinfo
EAT(Export Address Table) is none
KERNEL32.dll
0x450030 CreateThread
0x450034 GetLocalTime
0x450038 GetThreadContext
0x45003c GetProcAddress
0x450040 VirtualAllocEx
0x450044 RemoveDirectoryA
0x450048 ReadProcessMemory
0x45004c GetSystemInfo
0x450050 CreateDirectoryA
0x450054 SetThreadContext
0x450058 SetEndOfFile
0x45005c DecodePointer
0x450060 ReadConsoleW
0x450064 HeapReAlloc
0x450068 HeapSize
0x45006c CloseHandle
0x450070 CreateFileA
0x450074 GetFileAttributesA
0x450078 GetLastError
0x45007c Sleep
0x450080 GetTempPathA
0x450084 SetCurrentDirectoryA
0x450088 GetModuleHandleA
0x45008c ResumeThread
0x450090 GetComputerNameExW
0x450094 GetVersionExW
0x450098 CreateMutexA
0x45009c VirtualAlloc
0x4500a0 WriteFile
0x4500a4 VirtualFree
0x4500a8 WriteProcessMemory
0x4500ac GetModuleFileNameA
0x4500b0 CreateProcessA
0x4500b4 ReadFile
0x4500b8 GetTimeZoneInformation
0x4500bc GetConsoleMode
0x4500c0 GetConsoleCP
0x4500c4 FlushFileBuffers
0x4500c8 GetStringTypeW
0x4500cc GetProcessHeap
0x4500d0 SetEnvironmentVariableW
0x4500d4 FreeEnvironmentStringsW
0x4500d8 GetEnvironmentStringsW
0x4500dc GetCPInfo
0x4500e0 GetOEMCP
0x4500e4 GetACP
0x4500e8 IsValidCodePage
0x4500ec FindNextFileW
0x4500f0 FindFirstFileExW
0x4500f4 FindClose
0x4500f8 SetFilePointerEx
0x4500fc SetStdHandle
0x450100 GetFullPathNameW
0x450104 GetCurrentDirectoryW
0x450108 DeleteFileW
0x45010c LCMapStringW
0x450110 CompareStringW
0x450114 MultiByteToWideChar
0x450118 HeapAlloc
0x45011c HeapFree
0x450120 GetCommandLineW
0x450124 GetCommandLineA
0x450128 GetStdHandle
0x45012c FileTimeToSystemTime
0x450130 SystemTimeToTzSpecificLocalTime
0x450134 PeekNamedPipe
0x450138 GetFileType
0x45013c GetFileInformationByHandle
0x450140 GetDriveTypeW
0x450144 RaiseException
0x450148 GetCurrentThreadId
0x45014c IsProcessorFeaturePresent
0x450150 QueueUserWorkItem
0x450154 GetModuleHandleExW
0x450158 FormatMessageW
0x45015c WideCharToMultiByte
0x450160 EnterCriticalSection
0x450164 LeaveCriticalSection
0x450168 TryEnterCriticalSection
0x45016c DeleteCriticalSection
0x450170 SetLastError
0x450174 InitializeCriticalSectionAndSpinCount
0x450178 CreateEventW
0x45017c SwitchToThread
0x450180 TlsAlloc
0x450184 TlsGetValue
0x450188 TlsSetValue
0x45018c TlsFree
0x450190 GetSystemTimeAsFileTime
0x450194 GetTickCount
0x450198 GetModuleHandleW
0x45019c WaitForSingleObjectEx
0x4501a0 QueryPerformanceCounter
0x4501a4 SetEvent
0x4501a8 ResetEvent
0x4501ac UnhandledExceptionFilter
0x4501b0 SetUnhandledExceptionFilter
0x4501b4 GetCurrentProcess
0x4501b8 TerminateProcess
0x4501bc IsDebuggerPresent
0x4501c0 GetStartupInfoW
0x4501c4 GetCurrentProcessId
0x4501c8 InitializeSListHead
0x4501cc CreateTimerQueue
0x4501d0 SignalObjectAndWait
0x4501d4 SetThreadPriority
0x4501d8 GetThreadPriority
0x4501dc GetLogicalProcessorInformation
0x4501e0 CreateTimerQueueTimer
0x4501e4 ChangeTimerQueueTimer
0x4501e8 DeleteTimerQueueTimer
0x4501ec GetNumaHighestNodeNumber
0x4501f0 GetProcessAffinityMask
0x4501f4 SetThreadAffinityMask
0x4501f8 RegisterWaitForSingleObject
0x4501fc UnregisterWait
0x450200 EncodePointer
0x450204 GetCurrentThread
0x450208 GetThreadTimes
0x45020c FreeLibrary
0x450210 FreeLibraryAndExitThread
0x450214 GetModuleFileNameW
0x450218 LoadLibraryExW
0x45021c VirtualProtect
0x450220 DuplicateHandle
0x450224 ReleaseSemaphore
0x450228 InterlockedPopEntrySList
0x45022c InterlockedPushEntrySList
0x450230 InterlockedFlushSList
0x450234 QueryDepthSList
0x450238 UnregisterWaitEx
0x45023c LoadLibraryW
0x450240 RtlUnwind
0x450244 ExitProcess
0x450248 CreateFileW
0x45024c WriteConsoleW
ADVAPI32.dll
0x450000 RegCloseKey
0x450004 RegQueryInfoKeyW
0x450008 RegQueryValueExA
0x45000c GetSidSubAuthorityCount
0x450010 GetSidSubAuthority
0x450014 GetUserNameA
0x450018 LookupAccountNameA
0x45001c RegSetValueExA
0x450020 RegOpenKeyExA
0x450024 RegEnumValueW
0x450028 GetSidIdentifierAuthority
SHELL32.dll
0x450254 SHGetFolderPathA
0x450258 ShellExecuteA
0x45025c None
0x450260 SHFileOperationA
ole32.dll
0x4502b8 CoUninitialize
0x4502bc CoCreateInstance
0x4502c0 CoInitialize
WININET.dll
0x450268 HttpOpenRequestA
0x45026c InternetOpenUrlA
0x450270 InternetOpenW
0x450274 InternetOpenA
0x450278 InternetCloseHandle
0x45027c HttpSendRequestA
0x450280 InternetConnectA
0x450284 InternetReadFile
WS2_32.dll
0x45028c closesocket
0x450290 inet_pton
0x450294 getaddrinfo
0x450298 WSAStartup
0x45029c send
0x4502a0 socket
0x4502a4 connect
0x4502a8 recv
0x4502ac htons
0x4502b0 freeaddrinfo
EAT(Export Address Table) is none