popup

Report - Hkbsse.exe

Amadey Generic Malware Malicious Library Malicious Packer UPX Antivirus PE File PE32 OS Processor Check DLL PE64 JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.09.26 10:22 Machine s1_win7_x6401
Filename Hkbsse.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
12.0
ZERO API file : clean
VT API (file) 51 detected (AIDetectMalware, Malicious, score, Zusy, Unsafe, Save, Delf, Attribute, HighConfidence, Windows, Threat, Amadey, BotX, 94ZIjYSVylS, AGEN, MulDrop28, Real Protect, moderate, Generic ML PUA, Static AI, Suspicious PE, akal, Detected, Eldorado, R664066, BScope, Deyma, GdSda, Gencirc, susgen)
md5 e4f3ed3daf21363918afbc91db6f775b
sha256 4c6f323142d184d3021fce521628676badac99d1664d8ec208e6d2fb298e65b4
ssdeep 12288:iAHIqeXuOre8e8lHcafb1eVL5u2OUtkr:nIqeXu2ewWqb1w7tkr
imphash f0ba1e2fafb46228d56b5d07719ed13d
impfuzzy 96:QXYDGKnh5Edcg+JU0tWmuX17fysX+kXpEi0ZFRL5YMI:QZM8hF7fHOk5EbgMI
  Network IP location

Signature (28cnts)

Level Description
danger File has been identified by 51 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to identify installed AV products by installation directory
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Installs itself for autorun at Windows startup
watch The process powershell.exe wrote an executable file to disk
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process hkbsse.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (19cnts)

Level Name Description Collection
danger Win_Amadey_Zero Amadey bot binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://amoamosss.com/Dem7kTu/Plugins/cred64.dll
whois
RU OOO Network of data-centers Selectel 31.41.154.129 clean
http://amoamosss.com/Dem7kTu/Plugins/clip64.dll
whois
RU OOO Network of data-centers Selectel 31.41.154.129 clean
http://amoamosss.com/Dem7kTu/index.php
whois
RU OOO Network of data-centers Selectel 31.41.154.129 clean
http://amoamosss.com/Dem7kTu/index.php?scr=1
whois
RU OOO Network of data-centers Selectel 31.41.154.129 clean
amoamosss.com
whois
RU OOO Network of data-centers Selectel 31.41.154.129 clean
31.41.154.129
whois
RU OOO Network of data-centers Selectel 31.41.154.129 clean

Suricata ids

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey Bot Activity (POST) M1

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x45404c CreateThread
 0x454050 GetLocalTime
 0x454054 GetThreadContext
 0x454058 GetProcAddress
 0x45405c VirtualAllocEx
 0x454060 RemoveDirectoryA
 0x454064 ReadProcessMemory
 0x454068 GetSystemInfo
 0x45406c CreateDirectoryA
 0x454070 SetThreadContext
 0x454074 SetEndOfFile
 0x454078 DecodePointer
 0x45407c ReadConsoleW
 0x454080 HeapReAlloc
 0x454084 HeapSize
 0x454088 CloseHandle
 0x45408c CreateFileA
 0x454090 GetFileAttributesA
 0x454094 GetLastError
 0x454098 Sleep
 0x45409c GetTempPathA
 0x4540a0 SetCurrentDirectoryA
 0x4540a4 GetModuleHandleA
 0x4540a8 ResumeThread
 0x4540ac GetComputerNameExW
 0x4540b0 GetVersionExW
 0x4540b4 CreateMutexA
 0x4540b8 VirtualAlloc
 0x4540bc WriteFile
 0x4540c0 VirtualFree
 0x4540c4 WriteProcessMemory
 0x4540c8 GetModuleFileNameA
 0x4540cc CreateProcessA
 0x4540d0 ReadFile
 0x4540d4 GetTimeZoneInformation
 0x4540d8 GetConsoleMode
 0x4540dc GetConsoleCP
 0x4540e0 FlushFileBuffers
 0x4540e4 GetStringTypeW
 0x4540e8 GetProcessHeap
 0x4540ec SetEnvironmentVariableW
 0x4540f0 FreeEnvironmentStringsW
 0x4540f4 GetEnvironmentStringsW
 0x4540f8 GetCPInfo
 0x4540fc GetOEMCP
 0x454100 GetACP
 0x454104 IsValidCodePage
 0x454108 FindNextFileW
 0x45410c FindFirstFileExW
 0x454110 FindClose
 0x454114 SetFilePointerEx
 0x454118 SetStdHandle
 0x45411c GetFullPathNameW
 0x454120 GetCurrentDirectoryW
 0x454124 DeleteFileW
 0x454128 LCMapStringW
 0x45412c CompareStringW
 0x454130 MultiByteToWideChar
 0x454134 HeapAlloc
 0x454138 HeapFree
 0x45413c GetCommandLineW
 0x454140 GetCommandLineA
 0x454144 GetStdHandle
 0x454148 FileTimeToSystemTime
 0x45414c SystemTimeToTzSpecificLocalTime
 0x454150 PeekNamedPipe
 0x454154 GetFileType
 0x454158 GetFileInformationByHandle
 0x45415c GetDriveTypeW
 0x454160 RaiseException
 0x454164 GetCurrentThreadId
 0x454168 IsProcessorFeaturePresent
 0x45416c QueueUserWorkItem
 0x454170 GetModuleHandleExW
 0x454174 FormatMessageW
 0x454178 WideCharToMultiByte
 0x45417c EnterCriticalSection
 0x454180 LeaveCriticalSection
 0x454184 TryEnterCriticalSection
 0x454188 DeleteCriticalSection
 0x45418c SetLastError
 0x454190 InitializeCriticalSectionAndSpinCount
 0x454194 CreateEventW
 0x454198 SwitchToThread
 0x45419c TlsAlloc
 0x4541a0 TlsGetValue
 0x4541a4 TlsSetValue
 0x4541a8 TlsFree
 0x4541ac GetSystemTimeAsFileTime
 0x4541b0 GetTickCount
 0x4541b4 GetModuleHandleW
 0x4541b8 WaitForSingleObjectEx
 0x4541bc QueryPerformanceCounter
 0x4541c0 SetEvent
 0x4541c4 ResetEvent
 0x4541c8 UnhandledExceptionFilter
 0x4541cc SetUnhandledExceptionFilter
 0x4541d0 GetCurrentProcess
 0x4541d4 TerminateProcess
 0x4541d8 IsDebuggerPresent
 0x4541dc GetStartupInfoW
 0x4541e0 GetCurrentProcessId
 0x4541e4 InitializeSListHead
 0x4541e8 CreateTimerQueue
 0x4541ec SignalObjectAndWait
 0x4541f0 SetThreadPriority
 0x4541f4 GetThreadPriority
 0x4541f8 GetLogicalProcessorInformation
 0x4541fc CreateTimerQueueTimer
 0x454200 ChangeTimerQueueTimer
 0x454204 DeleteTimerQueueTimer
 0x454208 GetNumaHighestNodeNumber
 0x45420c GetProcessAffinityMask
 0x454210 SetThreadAffinityMask
 0x454214 RegisterWaitForSingleObject
 0x454218 UnregisterWait
 0x45421c EncodePointer
 0x454220 GetCurrentThread
 0x454224 GetThreadTimes
 0x454228 FreeLibrary
 0x45422c FreeLibraryAndExitThread
 0x454230 GetModuleFileNameW
 0x454234 LoadLibraryExW
 0x454238 VirtualProtect
 0x45423c DuplicateHandle
 0x454240 ReleaseSemaphore
 0x454244 InterlockedPopEntrySList
 0x454248 InterlockedPushEntrySList
 0x45424c InterlockedFlushSList
 0x454250 QueryDepthSList
 0x454254 UnregisterWaitEx
 0x454258 LoadLibraryW
 0x45425c RtlUnwind
 0x454260 ExitProcess
 0x454264 CreateFileW
 0x454268 WriteConsoleW
USER32.dll
 0x454284 GetSystemMetrics
 0x454288 ReleaseDC
 0x45428c GetDC
GDI32.dll
 0x454034 CreateCompatibleBitmap
 0x454038 SelectObject
 0x45403c CreateCompatibleDC
 0x454040 DeleteObject
 0x454044 BitBlt
ADVAPI32.dll
 0x454000 RegCloseKey
 0x454004 RegQueryInfoKeyW
 0x454008 RegGetValueA
 0x45400c RegQueryValueExA
 0x454010 GetSidSubAuthorityCount
 0x454014 GetSidSubAuthority
 0x454018 GetUserNameA
 0x45401c LookupAccountNameA
 0x454020 RegSetValueExA
 0x454024 RegOpenKeyExA
 0x454028 RegEnumValueA
 0x45402c GetSidIdentifierAuthority
SHELL32.dll
 0x454270 SHGetFolderPathA
 0x454274 ShellExecuteA
 0x454278 None
 0x45427c SHFileOperationA
ole32.dll
 0x454314 CoUninitialize
 0x454318 CoCreateInstance
 0x45431c CoInitialize
WININET.dll
 0x454294 HttpOpenRequestA
 0x454298 InternetWriteFile
 0x45429c InternetOpenUrlA
 0x4542a0 InternetOpenW
 0x4542a4 HttpEndRequestW
 0x4542a8 HttpAddRequestHeadersA
 0x4542ac HttpSendRequestExA
 0x4542b0 InternetOpenA
 0x4542b4 InternetCloseHandle
 0x4542b8 HttpSendRequestA
 0x4542bc InternetConnectA
 0x4542c0 InternetReadFile
gdiplus.dll
 0x4542f4 GdipGetImageEncodersSize
 0x4542f8 GdipDisposeImage
 0x4542fc GdiplusStartup
 0x454300 GdiplusShutdown
 0x454304 GdipGetImageEncoders
 0x454308 GdipSaveImageToFile
 0x45430c GdipCreateBitmapFromHBITMAP
WS2_32.dll
 0x4542c8 closesocket
 0x4542cc inet_pton
 0x4542d0 getaddrinfo
 0x4542d4 WSAStartup
 0x4542d8 send
 0x4542dc socket
 0x4542e0 connect
 0x4542e4 recv
 0x4542e8 htons
 0x4542ec freeaddrinfo

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure