popup

Report - am.exe

Stealc Gen1 Generic Malware Themida Malicious Library Malicious Packer UPX Socket Http API HTTP DNS Code injection Internet API AntiDebug AntiVM PE File PE32 OS Processor Check DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.10.01 16:45 Machine s1_win7_x6401
Filename am.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
20.2
ZERO API file : mailcious
VT API (file) 60 detected (AIDetectMalware, Amadey, Malicious, score, Doina, Unsafe, Vb0i, confidence, Delf, Genus, Windows, Threat, MalwareX, Deyma, Xpaj, CLASSIC, AGEN, SpyBot, YXEI4Z, Real Protect, high, Static AI, Malicious PE, Detected, HeurC, KVMH017, Malware@#1fa93b5iqgn6b, Eldorado, R659224, Artemis, BScope, GdSda, Hajl, susgen)
md5 7a1cee6327c5acf66e2aebb0d7bc25bc
sha256 83f5e08f80cb28ba3197e06721b05fc1a1018cb7ea908f054aea6a69014e1a13
ssdeep 12288:MXyHTfxyxfLot/eoWBXkTLL/+gJuGumEaheXGE/t6:1zfxyxDCG70L7RZhe2h
imphash 9c7c36eb46cc991a5074f8a811c4c46c
impfuzzy 96:QXYDGKnh5Edcg+JU0tWmuX17fysX+kXpEi0ZRL5W:QZM8hF7fHOk5EbI
  Network IP location

Signature (41cnts)

Level Description
danger File has been identified by 60 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to identify installed AV products by installation directory
watch Checks for the presence of known devices from debuggers and forensic tools
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the CPU name from registry
watch Checks the version of Bios
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects VMWare through the in instruction feature
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch One or more non-whitelisted processes were created
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice An executable file was downloaded by the processes skotes.exe
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (31cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
warning themida_packer themida packer binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Network_DNS Communications use DNS memory
notice Network_HTTP Communications over HTTP memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (15cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.43/Zu7JuNko/index.php
whois
Unknown 185.215.113.43 clean
http://185.215.113.103/well/random.exe
whois
Unknown 185.215.113.103 42761 mailcious
http://185.215.113.37/0d60be0de163924d/msvcp140.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/nss3.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/
whois
Unknown 185.215.113.37 42691 mailcious
http://185.215.113.37/0d60be0de163924d/softokn3.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/mozglue.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.103/steam/random.exe
whois
Unknown 185.215.113.103 malware
http://185.215.113.37/0d60be0de163924d/freebl3.dll
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/e2b1563c6670f193.php
whois
Unknown 185.215.113.37 clean
http://185.215.113.37/0d60be0de163924d/sqlite3.dll
whois
Unknown 185.215.113.37 clean
185.215.113.43
whois
Unknown 185.215.113.43 clean
185.215.113.37
whois
Unknown 185.215.113.37 mailcious
185.215.113.103
whois
Unknown 185.215.113.103 mailcious

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x450030 CreateThread
 0x450034 GetLocalTime
 0x450038 GetThreadContext
 0x45003c GetProcAddress
 0x450040 VirtualAllocEx
 0x450044 RemoveDirectoryA
 0x450048 ReadProcessMemory
 0x45004c GetSystemInfo
 0x450050 CreateDirectoryA
 0x450054 SetThreadContext
 0x450058 SetEndOfFile
 0x45005c DecodePointer
 0x450060 ReadConsoleW
 0x450064 HeapReAlloc
 0x450068 HeapSize
 0x45006c CloseHandle
 0x450070 CreateFileA
 0x450074 GetFileAttributesA
 0x450078 GetLastError
 0x45007c Sleep
 0x450080 GetTempPathA
 0x450084 SetCurrentDirectoryA
 0x450088 GetModuleHandleA
 0x45008c ResumeThread
 0x450090 GetComputerNameExW
 0x450094 GetVersionExW
 0x450098 CreateMutexA
 0x45009c VirtualAlloc
 0x4500a0 WriteFile
 0x4500a4 VirtualFree
 0x4500a8 WriteProcessMemory
 0x4500ac GetModuleFileNameA
 0x4500b0 CreateProcessA
 0x4500b4 ReadFile
 0x4500b8 GetTimeZoneInformation
 0x4500bc GetConsoleMode
 0x4500c0 GetConsoleCP
 0x4500c4 FlushFileBuffers
 0x4500c8 GetStringTypeW
 0x4500cc GetProcessHeap
 0x4500d0 SetEnvironmentVariableW
 0x4500d4 FreeEnvironmentStringsW
 0x4500d8 GetEnvironmentStringsW
 0x4500dc GetCPInfo
 0x4500e0 GetOEMCP
 0x4500e4 GetACP
 0x4500e8 IsValidCodePage
 0x4500ec FindNextFileW
 0x4500f0 FindFirstFileExW
 0x4500f4 FindClose
 0x4500f8 SetFilePointerEx
 0x4500fc SetStdHandle
 0x450100 GetFullPathNameW
 0x450104 GetCurrentDirectoryW
 0x450108 DeleteFileW
 0x45010c LCMapStringW
 0x450110 CompareStringW
 0x450114 MultiByteToWideChar
 0x450118 HeapAlloc
 0x45011c HeapFree
 0x450120 GetCommandLineW
 0x450124 GetCommandLineA
 0x450128 GetStdHandle
 0x45012c FileTimeToSystemTime
 0x450130 SystemTimeToTzSpecificLocalTime
 0x450134 PeekNamedPipe
 0x450138 GetFileType
 0x45013c GetFileInformationByHandle
 0x450140 GetDriveTypeW
 0x450144 RaiseException
 0x450148 GetCurrentThreadId
 0x45014c IsProcessorFeaturePresent
 0x450150 QueueUserWorkItem
 0x450154 GetModuleHandleExW
 0x450158 FormatMessageW
 0x45015c WideCharToMultiByte
 0x450160 EnterCriticalSection
 0x450164 LeaveCriticalSection
 0x450168 TryEnterCriticalSection
 0x45016c DeleteCriticalSection
 0x450170 SetLastError
 0x450174 InitializeCriticalSectionAndSpinCount
 0x450178 CreateEventW
 0x45017c SwitchToThread
 0x450180 TlsAlloc
 0x450184 TlsGetValue
 0x450188 TlsSetValue
 0x45018c TlsFree
 0x450190 GetSystemTimeAsFileTime
 0x450194 GetTickCount
 0x450198 GetModuleHandleW
 0x45019c WaitForSingleObjectEx
 0x4501a0 QueryPerformanceCounter
 0x4501a4 SetEvent
 0x4501a8 ResetEvent
 0x4501ac UnhandledExceptionFilter
 0x4501b0 SetUnhandledExceptionFilter
 0x4501b4 GetCurrentProcess
 0x4501b8 TerminateProcess
 0x4501bc IsDebuggerPresent
 0x4501c0 GetStartupInfoW
 0x4501c4 GetCurrentProcessId
 0x4501c8 InitializeSListHead
 0x4501cc CreateTimerQueue
 0x4501d0 SignalObjectAndWait
 0x4501d4 SetThreadPriority
 0x4501d8 GetThreadPriority
 0x4501dc GetLogicalProcessorInformation
 0x4501e0 CreateTimerQueueTimer
 0x4501e4 ChangeTimerQueueTimer
 0x4501e8 DeleteTimerQueueTimer
 0x4501ec GetNumaHighestNodeNumber
 0x4501f0 GetProcessAffinityMask
 0x4501f4 SetThreadAffinityMask
 0x4501f8 RegisterWaitForSingleObject
 0x4501fc UnregisterWait
 0x450200 EncodePointer
 0x450204 GetCurrentThread
 0x450208 GetThreadTimes
 0x45020c FreeLibrary
 0x450210 FreeLibraryAndExitThread
 0x450214 GetModuleFileNameW
 0x450218 LoadLibraryExW
 0x45021c VirtualProtect
 0x450220 DuplicateHandle
 0x450224 ReleaseSemaphore
 0x450228 InterlockedPopEntrySList
 0x45022c InterlockedPushEntrySList
 0x450230 InterlockedFlushSList
 0x450234 QueryDepthSList
 0x450238 UnregisterWaitEx
 0x45023c LoadLibraryW
 0x450240 RtlUnwind
 0x450244 ExitProcess
 0x450248 CreateFileW
 0x45024c WriteConsoleW
ADVAPI32.dll
 0x450000 RegCloseKey
 0x450004 RegQueryInfoKeyW
 0x450008 RegQueryValueExA
 0x45000c GetSidSubAuthorityCount
 0x450010 GetSidSubAuthority
 0x450014 GetUserNameA
 0x450018 LookupAccountNameA
 0x45001c RegSetValueExA
 0x450020 RegOpenKeyExA
 0x450024 RegEnumValueA
 0x450028 GetSidIdentifierAuthority
SHELL32.dll
 0x450254 SHGetFolderPathA
 0x450258 ShellExecuteA
 0x45025c None
 0x450260 SHFileOperationA
ole32.dll
 0x4502b8 CoUninitialize
 0x4502bc CoCreateInstance
 0x4502c0 CoInitialize
WININET.dll
 0x450268 HttpOpenRequestA
 0x45026c InternetOpenUrlA
 0x450270 InternetOpenW
 0x450274 InternetOpenA
 0x450278 InternetCloseHandle
 0x45027c HttpSendRequestA
 0x450280 InternetConnectA
 0x450284 InternetReadFile
WS2_32.dll
 0x45028c closesocket
 0x450290 inet_pton
 0x450294 getaddrinfo
 0x450298 WSAStartup
 0x45029c send
 0x4502a0 socket
 0x4502a4 connect
 0x4502a8 recv
 0x4502ac htons
 0x4502b0 freeaddrinfo

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure