ScreenShot
Created | 2024.10.01 16:45 | Machine | s1_win7_x6401 |
Filename | am.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : mailcious | ||
VT API (file) | 60 detected (AIDetectMalware, Amadey, Malicious, score, Doina, Unsafe, Vb0i, confidence, Delf, Genus, Windows, Threat, MalwareX, Deyma, Xpaj, CLASSIC, AGEN, SpyBot, YXEI4Z, Real Protect, high, Static AI, Malicious PE, Detected, HeurC, KVMH017, Malware@#1fa93b5iqgn6b, Eldorado, R659224, Artemis, BScope, GdSda, Hajl, susgen) | ||
md5 | 7a1cee6327c5acf66e2aebb0d7bc25bc | ||
sha256 | 83f5e08f80cb28ba3197e06721b05fc1a1018cb7ea908f054aea6a69014e1a13 | ||
ssdeep | 12288:MXyHTfxyxfLot/eoWBXkTLL/+gJuGumEaheXGE/t6:1zfxyxDCG70L7RZhe2h | ||
imphash | 9c7c36eb46cc991a5074f8a811c4c46c | ||
impfuzzy | 96:QXYDGKnh5Edcg+JU0tWmuX17fysX+kXpEi0ZRL5W:QZM8hF7fHOk5EbI |
Network IP location
Signature (41cnts)
Level | Description |
---|---|
danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Attempts to identify installed AV products by installation directory |
watch | Checks for the presence of known devices from debuggers and forensic tools |
watch | Checks for the presence of known windows from debuggers and forensic tools |
watch | Checks the CPU name from registry |
watch | Checks the version of Bios |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Detects VMWare through the in instruction feature |
watch | Harvests credentials from local email clients |
watch | Harvests credentials from local FTP client softwares |
watch | Installs itself for autorun at Windows startup |
watch | One or more non-whitelisted processes were created |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process attempted to delay the analysis task. |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An application raised an exception which may be indicative of an exploit crash |
notice | An executable file was downloaded by the processes skotes.exe |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Expresses interest in specific running processes |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
Rules (31cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
warning | themida_packer | themida packer | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_HTTP | Communications over HTTP | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (15cnts) ?
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x450030 CreateThread
0x450034 GetLocalTime
0x450038 GetThreadContext
0x45003c GetProcAddress
0x450040 VirtualAllocEx
0x450044 RemoveDirectoryA
0x450048 ReadProcessMemory
0x45004c GetSystemInfo
0x450050 CreateDirectoryA
0x450054 SetThreadContext
0x450058 SetEndOfFile
0x45005c DecodePointer
0x450060 ReadConsoleW
0x450064 HeapReAlloc
0x450068 HeapSize
0x45006c CloseHandle
0x450070 CreateFileA
0x450074 GetFileAttributesA
0x450078 GetLastError
0x45007c Sleep
0x450080 GetTempPathA
0x450084 SetCurrentDirectoryA
0x450088 GetModuleHandleA
0x45008c ResumeThread
0x450090 GetComputerNameExW
0x450094 GetVersionExW
0x450098 CreateMutexA
0x45009c VirtualAlloc
0x4500a0 WriteFile
0x4500a4 VirtualFree
0x4500a8 WriteProcessMemory
0x4500ac GetModuleFileNameA
0x4500b0 CreateProcessA
0x4500b4 ReadFile
0x4500b8 GetTimeZoneInformation
0x4500bc GetConsoleMode
0x4500c0 GetConsoleCP
0x4500c4 FlushFileBuffers
0x4500c8 GetStringTypeW
0x4500cc GetProcessHeap
0x4500d0 SetEnvironmentVariableW
0x4500d4 FreeEnvironmentStringsW
0x4500d8 GetEnvironmentStringsW
0x4500dc GetCPInfo
0x4500e0 GetOEMCP
0x4500e4 GetACP
0x4500e8 IsValidCodePage
0x4500ec FindNextFileW
0x4500f0 FindFirstFileExW
0x4500f4 FindClose
0x4500f8 SetFilePointerEx
0x4500fc SetStdHandle
0x450100 GetFullPathNameW
0x450104 GetCurrentDirectoryW
0x450108 DeleteFileW
0x45010c LCMapStringW
0x450110 CompareStringW
0x450114 MultiByteToWideChar
0x450118 HeapAlloc
0x45011c HeapFree
0x450120 GetCommandLineW
0x450124 GetCommandLineA
0x450128 GetStdHandle
0x45012c FileTimeToSystemTime
0x450130 SystemTimeToTzSpecificLocalTime
0x450134 PeekNamedPipe
0x450138 GetFileType
0x45013c GetFileInformationByHandle
0x450140 GetDriveTypeW
0x450144 RaiseException
0x450148 GetCurrentThreadId
0x45014c IsProcessorFeaturePresent
0x450150 QueueUserWorkItem
0x450154 GetModuleHandleExW
0x450158 FormatMessageW
0x45015c WideCharToMultiByte
0x450160 EnterCriticalSection
0x450164 LeaveCriticalSection
0x450168 TryEnterCriticalSection
0x45016c DeleteCriticalSection
0x450170 SetLastError
0x450174 InitializeCriticalSectionAndSpinCount
0x450178 CreateEventW
0x45017c SwitchToThread
0x450180 TlsAlloc
0x450184 TlsGetValue
0x450188 TlsSetValue
0x45018c TlsFree
0x450190 GetSystemTimeAsFileTime
0x450194 GetTickCount
0x450198 GetModuleHandleW
0x45019c WaitForSingleObjectEx
0x4501a0 QueryPerformanceCounter
0x4501a4 SetEvent
0x4501a8 ResetEvent
0x4501ac UnhandledExceptionFilter
0x4501b0 SetUnhandledExceptionFilter
0x4501b4 GetCurrentProcess
0x4501b8 TerminateProcess
0x4501bc IsDebuggerPresent
0x4501c0 GetStartupInfoW
0x4501c4 GetCurrentProcessId
0x4501c8 InitializeSListHead
0x4501cc CreateTimerQueue
0x4501d0 SignalObjectAndWait
0x4501d4 SetThreadPriority
0x4501d8 GetThreadPriority
0x4501dc GetLogicalProcessorInformation
0x4501e0 CreateTimerQueueTimer
0x4501e4 ChangeTimerQueueTimer
0x4501e8 DeleteTimerQueueTimer
0x4501ec GetNumaHighestNodeNumber
0x4501f0 GetProcessAffinityMask
0x4501f4 SetThreadAffinityMask
0x4501f8 RegisterWaitForSingleObject
0x4501fc UnregisterWait
0x450200 EncodePointer
0x450204 GetCurrentThread
0x450208 GetThreadTimes
0x45020c FreeLibrary
0x450210 FreeLibraryAndExitThread
0x450214 GetModuleFileNameW
0x450218 LoadLibraryExW
0x45021c VirtualProtect
0x450220 DuplicateHandle
0x450224 ReleaseSemaphore
0x450228 InterlockedPopEntrySList
0x45022c InterlockedPushEntrySList
0x450230 InterlockedFlushSList
0x450234 QueryDepthSList
0x450238 UnregisterWaitEx
0x45023c LoadLibraryW
0x450240 RtlUnwind
0x450244 ExitProcess
0x450248 CreateFileW
0x45024c WriteConsoleW
ADVAPI32.dll
0x450000 RegCloseKey
0x450004 RegQueryInfoKeyW
0x450008 RegQueryValueExA
0x45000c GetSidSubAuthorityCount
0x450010 GetSidSubAuthority
0x450014 GetUserNameA
0x450018 LookupAccountNameA
0x45001c RegSetValueExA
0x450020 RegOpenKeyExA
0x450024 RegEnumValueA
0x450028 GetSidIdentifierAuthority
SHELL32.dll
0x450254 SHGetFolderPathA
0x450258 ShellExecuteA
0x45025c None
0x450260 SHFileOperationA
ole32.dll
0x4502b8 CoUninitialize
0x4502bc CoCreateInstance
0x4502c0 CoInitialize
WININET.dll
0x450268 HttpOpenRequestA
0x45026c InternetOpenUrlA
0x450270 InternetOpenW
0x450274 InternetOpenA
0x450278 InternetCloseHandle
0x45027c HttpSendRequestA
0x450280 InternetConnectA
0x450284 InternetReadFile
WS2_32.dll
0x45028c closesocket
0x450290 inet_pton
0x450294 getaddrinfo
0x450298 WSAStartup
0x45029c send
0x4502a0 socket
0x4502a4 connect
0x4502a8 recv
0x4502ac htons
0x4502b0 freeaddrinfo
EAT(Export Address Table) is none
KERNEL32.dll
0x450030 CreateThread
0x450034 GetLocalTime
0x450038 GetThreadContext
0x45003c GetProcAddress
0x450040 VirtualAllocEx
0x450044 RemoveDirectoryA
0x450048 ReadProcessMemory
0x45004c GetSystemInfo
0x450050 CreateDirectoryA
0x450054 SetThreadContext
0x450058 SetEndOfFile
0x45005c DecodePointer
0x450060 ReadConsoleW
0x450064 HeapReAlloc
0x450068 HeapSize
0x45006c CloseHandle
0x450070 CreateFileA
0x450074 GetFileAttributesA
0x450078 GetLastError
0x45007c Sleep
0x450080 GetTempPathA
0x450084 SetCurrentDirectoryA
0x450088 GetModuleHandleA
0x45008c ResumeThread
0x450090 GetComputerNameExW
0x450094 GetVersionExW
0x450098 CreateMutexA
0x45009c VirtualAlloc
0x4500a0 WriteFile
0x4500a4 VirtualFree
0x4500a8 WriteProcessMemory
0x4500ac GetModuleFileNameA
0x4500b0 CreateProcessA
0x4500b4 ReadFile
0x4500b8 GetTimeZoneInformation
0x4500bc GetConsoleMode
0x4500c0 GetConsoleCP
0x4500c4 FlushFileBuffers
0x4500c8 GetStringTypeW
0x4500cc GetProcessHeap
0x4500d0 SetEnvironmentVariableW
0x4500d4 FreeEnvironmentStringsW
0x4500d8 GetEnvironmentStringsW
0x4500dc GetCPInfo
0x4500e0 GetOEMCP
0x4500e4 GetACP
0x4500e8 IsValidCodePage
0x4500ec FindNextFileW
0x4500f0 FindFirstFileExW
0x4500f4 FindClose
0x4500f8 SetFilePointerEx
0x4500fc SetStdHandle
0x450100 GetFullPathNameW
0x450104 GetCurrentDirectoryW
0x450108 DeleteFileW
0x45010c LCMapStringW
0x450110 CompareStringW
0x450114 MultiByteToWideChar
0x450118 HeapAlloc
0x45011c HeapFree
0x450120 GetCommandLineW
0x450124 GetCommandLineA
0x450128 GetStdHandle
0x45012c FileTimeToSystemTime
0x450130 SystemTimeToTzSpecificLocalTime
0x450134 PeekNamedPipe
0x450138 GetFileType
0x45013c GetFileInformationByHandle
0x450140 GetDriveTypeW
0x450144 RaiseException
0x450148 GetCurrentThreadId
0x45014c IsProcessorFeaturePresent
0x450150 QueueUserWorkItem
0x450154 GetModuleHandleExW
0x450158 FormatMessageW
0x45015c WideCharToMultiByte
0x450160 EnterCriticalSection
0x450164 LeaveCriticalSection
0x450168 TryEnterCriticalSection
0x45016c DeleteCriticalSection
0x450170 SetLastError
0x450174 InitializeCriticalSectionAndSpinCount
0x450178 CreateEventW
0x45017c SwitchToThread
0x450180 TlsAlloc
0x450184 TlsGetValue
0x450188 TlsSetValue
0x45018c TlsFree
0x450190 GetSystemTimeAsFileTime
0x450194 GetTickCount
0x450198 GetModuleHandleW
0x45019c WaitForSingleObjectEx
0x4501a0 QueryPerformanceCounter
0x4501a4 SetEvent
0x4501a8 ResetEvent
0x4501ac UnhandledExceptionFilter
0x4501b0 SetUnhandledExceptionFilter
0x4501b4 GetCurrentProcess
0x4501b8 TerminateProcess
0x4501bc IsDebuggerPresent
0x4501c0 GetStartupInfoW
0x4501c4 GetCurrentProcessId
0x4501c8 InitializeSListHead
0x4501cc CreateTimerQueue
0x4501d0 SignalObjectAndWait
0x4501d4 SetThreadPriority
0x4501d8 GetThreadPriority
0x4501dc GetLogicalProcessorInformation
0x4501e0 CreateTimerQueueTimer
0x4501e4 ChangeTimerQueueTimer
0x4501e8 DeleteTimerQueueTimer
0x4501ec GetNumaHighestNodeNumber
0x4501f0 GetProcessAffinityMask
0x4501f4 SetThreadAffinityMask
0x4501f8 RegisterWaitForSingleObject
0x4501fc UnregisterWait
0x450200 EncodePointer
0x450204 GetCurrentThread
0x450208 GetThreadTimes
0x45020c FreeLibrary
0x450210 FreeLibraryAndExitThread
0x450214 GetModuleFileNameW
0x450218 LoadLibraryExW
0x45021c VirtualProtect
0x450220 DuplicateHandle
0x450224 ReleaseSemaphore
0x450228 InterlockedPopEntrySList
0x45022c InterlockedPushEntrySList
0x450230 InterlockedFlushSList
0x450234 QueryDepthSList
0x450238 UnregisterWaitEx
0x45023c LoadLibraryW
0x450240 RtlUnwind
0x450244 ExitProcess
0x450248 CreateFileW
0x45024c WriteConsoleW
ADVAPI32.dll
0x450000 RegCloseKey
0x450004 RegQueryInfoKeyW
0x450008 RegQueryValueExA
0x45000c GetSidSubAuthorityCount
0x450010 GetSidSubAuthority
0x450014 GetUserNameA
0x450018 LookupAccountNameA
0x45001c RegSetValueExA
0x450020 RegOpenKeyExA
0x450024 RegEnumValueA
0x450028 GetSidIdentifierAuthority
SHELL32.dll
0x450254 SHGetFolderPathA
0x450258 ShellExecuteA
0x45025c None
0x450260 SHFileOperationA
ole32.dll
0x4502b8 CoUninitialize
0x4502bc CoCreateInstance
0x4502c0 CoInitialize
WININET.dll
0x450268 HttpOpenRequestA
0x45026c InternetOpenUrlA
0x450270 InternetOpenW
0x450274 InternetOpenA
0x450278 InternetCloseHandle
0x45027c HttpSendRequestA
0x450280 InternetConnectA
0x450284 InternetReadFile
WS2_32.dll
0x45028c closesocket
0x450290 inet_pton
0x450294 getaddrinfo
0x450298 WSAStartup
0x45029c send
0x4502a0 socket
0x4502a4 connect
0x4502a8 recv
0x4502ac htons
0x4502b0 freeaddrinfo
EAT(Export Address Table) is none