ScreenShot
| Created | 2024.10.16 11:13 | Machine | s1_win7_x6403 |
| Filename | madey.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 57 detected (AIDetectMalware, Amadey, Malicious, score, Deyma, Zusy, Unsafe, Vuku, confidence, Delf, Attribute, HighConfidence, high confidence, MalwareX, Redcap, ksraod, CLOUD, wksod, MulDrop28, Real Protect, high, Static AI, Malicious PE, Detected, R671687, BScope, GdSda, Gencirc, uNEWiAa7AVM, susgen) | ||
| md5 | 689ff816fc3db38894e81abbdf63c02b | ||
| sha256 | f2ebbd96f7cf19aa8cc8b1273d1f80169de93ac4dde951ff4547177a11010945 | ||
| ssdeep | 12288:MzW5JeQqp6xEWEoiH5KlCrX4FZg40rvM1BCpkLDapAGEhoCXOfNw9lu+eqQoEzwz:MzWCKlCroFWHr6BCCXau7X3pP7 | ||
| imphash | 91d1583dab6f50e9cc35b0dbf587fb1f | ||
| impfuzzy | 96:PX64oGj4lIO7H5Edcg+JUdtWmuX17fysX+k6pIGRdFBh1:P9aIyGEF7fHOkAhh1 | ||
Network IP location
Signature (30cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process gxtuum.exe |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Amadey_Zero | Amadey bot | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x468060 GetFileAttributesA
0x468064 Process32NextW
0x468068 CreateFileA
0x46806c Process32FirstW
0x468070 CloseHandle
0x468074 GetSystemInfo
0x468078 CreateThread
0x46807c GetLocalTime
0x468080 GetThreadContext
0x468084 GetProcAddress
0x468088 GetLastError
0x46808c RemoveDirectoryA
0x468090 ReadProcessMemory
0x468094 CreateProcessA
0x468098 CreateDirectoryA
0x46809c SetThreadContext
0x4680a0 SetEndOfFile
0x4680a4 HeapSize
0x4680a8 GetProcessHeap
0x4680ac SetEnvironmentVariableW
0x4680b0 FreeEnvironmentStringsW
0x4680b4 Wow64RevertWow64FsRedirection
0x4680b8 GetTempPathA
0x4680bc Sleep
0x4680c0 CreateToolhelp32Snapshot
0x4680c4 OpenProcess
0x4680c8 SetCurrentDirectoryA
0x4680cc GetModuleHandleA
0x4680d0 ResumeThread
0x4680d4 GetComputerNameExW
0x4680d8 GetVersionExW
0x4680dc WaitForSingleObject
0x4680e0 CreateMutexA
0x4680e4 FindClose
0x4680e8 PeekNamedPipe
0x4680ec CreatePipe
0x4680f0 FindNextFileA
0x4680f4 VirtualAlloc
0x4680f8 Wow64DisableWow64FsRedirection
0x4680fc WriteFile
0x468100 VirtualFree
0x468104 FindFirstFileA
0x468108 SetHandleInformation
0x46810c WriteProcessMemory
0x468110 GetModuleFileNameA
0x468114 VirtualAllocEx
0x468118 ReadFile
0x46811c GetEnvironmentStringsW
0x468120 GetOEMCP
0x468124 GetACP
0x468128 IsValidCodePage
0x46812c FindNextFileW
0x468130 FindFirstFileExW
0x468134 GetTimeZoneInformation
0x468138 HeapReAlloc
0x46813c ReadConsoleW
0x468140 SetStdHandle
0x468144 GetFullPathNameW
0x468148 GetCurrentDirectoryW
0x46814c DeleteFileW
0x468150 EnumSystemLocalesW
0x468154 GetUserDefaultLCID
0x468158 IsValidLocale
0x46815c HeapAlloc
0x468160 HeapFree
0x468164 GetConsoleMode
0x468168 GetConsoleCP
0x46816c FlushFileBuffers
0x468170 SetFilePointerEx
0x468174 GetFileSizeEx
0x468178 GetCommandLineW
0x46817c GetCommandLineA
0x468180 GetStdHandle
0x468184 FileTimeToSystemTime
0x468188 SystemTimeToTzSpecificLocalTime
0x46818c GetFileType
0x468190 GetFileInformationByHandle
0x468194 GetDriveTypeW
0x468198 CreateFileW
0x46819c ExitProcess
0x4681a0 RtlUnwind
0x4681a4 LoadLibraryW
0x4681a8 UnregisterWaitEx
0x4681ac QueryDepthSList
0x4681b0 InterlockedFlushSList
0x4681b4 RaiseException
0x4681b8 GetCurrentThreadId
0x4681bc IsProcessorFeaturePresent
0x4681c0 QueueUserWorkItem
0x4681c4 GetModuleHandleExW
0x4681c8 FormatMessageW
0x4681cc WideCharToMultiByte
0x4681d0 EnterCriticalSection
0x4681d4 LeaveCriticalSection
0x4681d8 TryEnterCriticalSection
0x4681dc DeleteCriticalSection
0x4681e0 SetLastError
0x4681e4 InitializeCriticalSectionAndSpinCount
0x4681e8 CreateEventW
0x4681ec SwitchToThread
0x4681f0 TlsAlloc
0x4681f4 TlsGetValue
0x4681f8 TlsSetValue
0x4681fc TlsFree
0x468200 GetSystemTimeAsFileTime
0x468204 GetTickCount
0x468208 GetModuleHandleW
0x46820c WaitForSingleObjectEx
0x468210 QueryPerformanceCounter
0x468214 EncodePointer
0x468218 DecodePointer
0x46821c MultiByteToWideChar
0x468220 CompareStringW
0x468224 LCMapStringW
0x468228 GetLocaleInfoW
0x46822c GetStringTypeW
0x468230 GetCPInfo
0x468234 SetEvent
0x468238 ResetEvent
0x46823c UnhandledExceptionFilter
0x468240 SetUnhandledExceptionFilter
0x468244 GetCurrentProcess
0x468248 TerminateProcess
0x46824c IsDebuggerPresent
0x468250 GetStartupInfoW
0x468254 GetCurrentProcessId
0x468258 InitializeSListHead
0x46825c CreateTimerQueue
0x468260 SignalObjectAndWait
0x468264 SetThreadPriority
0x468268 GetThreadPriority
0x46826c GetLogicalProcessorInformation
0x468270 CreateTimerQueueTimer
0x468274 ChangeTimerQueueTimer
0x468278 DeleteTimerQueueTimer
0x46827c GetNumaHighestNodeNumber
0x468280 GetProcessAffinityMask
0x468284 SetThreadAffinityMask
0x468288 RegisterWaitForSingleObject
0x46828c UnregisterWait
0x468290 GetCurrentThread
0x468294 GetThreadTimes
0x468298 FreeLibrary
0x46829c FreeLibraryAndExitThread
0x4682a0 GetModuleFileNameW
0x4682a4 LoadLibraryExW
0x4682a8 VirtualProtect
0x4682ac DuplicateHandle
0x4682b0 ReleaseSemaphore
0x4682b4 InterlockedPopEntrySList
0x4682b8 InterlockedPushEntrySList
0x4682bc WriteConsoleW
USER32.dll
0x4682d4 GetSystemMetrics
0x4682d8 ReleaseDC
0x4682dc GetDC
GDI32.dll
0x468048 CreateCompatibleBitmap
0x46804c SelectObject
0x468050 CreateCompatibleDC
0x468054 DeleteObject
0x468058 BitBlt
ADVAPI32.dll
0x468000 RevertToSelf
0x468004 RegCloseKey
0x468008 RegQueryInfoKeyW
0x46800c RegGetValueA
0x468010 RegQueryValueExA
0x468014 GetSidSubAuthorityCount
0x468018 GetSidSubAuthority
0x46801c GetUserNameA
0x468020 CreateProcessWithTokenW
0x468024 LookupAccountNameA
0x468028 ImpersonateLoggedOnUser
0x46802c RegSetValueExA
0x468030 OpenProcessToken
0x468034 RegOpenKeyExA
0x468038 RegEnumValueA
0x46803c DuplicateTokenEx
0x468040 GetSidIdentifierAuthority
SHELL32.dll
0x4682c4 SHGetFolderPathA
0x4682c8 ShellExecuteA
0x4682cc SHFileOperationA
ole32.dll
0x468364 CoUninitialize
0x468368 CoCreateInstance
0x46836c CoInitialize
WININET.dll
0x4682e4 HttpOpenRequestA
0x4682e8 InternetWriteFile
0x4682ec InternetOpenUrlA
0x4682f0 InternetOpenW
0x4682f4 HttpEndRequestW
0x4682f8 HttpAddRequestHeadersA
0x4682fc HttpSendRequestExA
0x468300 InternetOpenA
0x468304 InternetCloseHandle
0x468308 HttpSendRequestA
0x46830c InternetConnectA
0x468310 InternetReadFile
gdiplus.dll
0x468344 GdiplusStartup
0x468348 GdipSaveImageToFile
0x46834c GdipGetImageEncodersSize
0x468350 GdiplusShutdown
0x468354 GdipGetImageEncoders
0x468358 GdipCreateBitmapFromHBITMAP
0x46835c GdipDisposeImage
WS2_32.dll
0x468318 closesocket
0x46831c inet_pton
0x468320 getaddrinfo
0x468324 WSAStartup
0x468328 send
0x46832c socket
0x468330 connect
0x468334 recv
0x468338 htons
0x46833c freeaddrinfo
EAT(Export Address Table) is none
KERNEL32.dll
0x468060 GetFileAttributesA
0x468064 Process32NextW
0x468068 CreateFileA
0x46806c Process32FirstW
0x468070 CloseHandle
0x468074 GetSystemInfo
0x468078 CreateThread
0x46807c GetLocalTime
0x468080 GetThreadContext
0x468084 GetProcAddress
0x468088 GetLastError
0x46808c RemoveDirectoryA
0x468090 ReadProcessMemory
0x468094 CreateProcessA
0x468098 CreateDirectoryA
0x46809c SetThreadContext
0x4680a0 SetEndOfFile
0x4680a4 HeapSize
0x4680a8 GetProcessHeap
0x4680ac SetEnvironmentVariableW
0x4680b0 FreeEnvironmentStringsW
0x4680b4 Wow64RevertWow64FsRedirection
0x4680b8 GetTempPathA
0x4680bc Sleep
0x4680c0 CreateToolhelp32Snapshot
0x4680c4 OpenProcess
0x4680c8 SetCurrentDirectoryA
0x4680cc GetModuleHandleA
0x4680d0 ResumeThread
0x4680d4 GetComputerNameExW
0x4680d8 GetVersionExW
0x4680dc WaitForSingleObject
0x4680e0 CreateMutexA
0x4680e4 FindClose
0x4680e8 PeekNamedPipe
0x4680ec CreatePipe
0x4680f0 FindNextFileA
0x4680f4 VirtualAlloc
0x4680f8 Wow64DisableWow64FsRedirection
0x4680fc WriteFile
0x468100 VirtualFree
0x468104 FindFirstFileA
0x468108 SetHandleInformation
0x46810c WriteProcessMemory
0x468110 GetModuleFileNameA
0x468114 VirtualAllocEx
0x468118 ReadFile
0x46811c GetEnvironmentStringsW
0x468120 GetOEMCP
0x468124 GetACP
0x468128 IsValidCodePage
0x46812c FindNextFileW
0x468130 FindFirstFileExW
0x468134 GetTimeZoneInformation
0x468138 HeapReAlloc
0x46813c ReadConsoleW
0x468140 SetStdHandle
0x468144 GetFullPathNameW
0x468148 GetCurrentDirectoryW
0x46814c DeleteFileW
0x468150 EnumSystemLocalesW
0x468154 GetUserDefaultLCID
0x468158 IsValidLocale
0x46815c HeapAlloc
0x468160 HeapFree
0x468164 GetConsoleMode
0x468168 GetConsoleCP
0x46816c FlushFileBuffers
0x468170 SetFilePointerEx
0x468174 GetFileSizeEx
0x468178 GetCommandLineW
0x46817c GetCommandLineA
0x468180 GetStdHandle
0x468184 FileTimeToSystemTime
0x468188 SystemTimeToTzSpecificLocalTime
0x46818c GetFileType
0x468190 GetFileInformationByHandle
0x468194 GetDriveTypeW
0x468198 CreateFileW
0x46819c ExitProcess
0x4681a0 RtlUnwind
0x4681a4 LoadLibraryW
0x4681a8 UnregisterWaitEx
0x4681ac QueryDepthSList
0x4681b0 InterlockedFlushSList
0x4681b4 RaiseException
0x4681b8 GetCurrentThreadId
0x4681bc IsProcessorFeaturePresent
0x4681c0 QueueUserWorkItem
0x4681c4 GetModuleHandleExW
0x4681c8 FormatMessageW
0x4681cc WideCharToMultiByte
0x4681d0 EnterCriticalSection
0x4681d4 LeaveCriticalSection
0x4681d8 TryEnterCriticalSection
0x4681dc DeleteCriticalSection
0x4681e0 SetLastError
0x4681e4 InitializeCriticalSectionAndSpinCount
0x4681e8 CreateEventW
0x4681ec SwitchToThread
0x4681f0 TlsAlloc
0x4681f4 TlsGetValue
0x4681f8 TlsSetValue
0x4681fc TlsFree
0x468200 GetSystemTimeAsFileTime
0x468204 GetTickCount
0x468208 GetModuleHandleW
0x46820c WaitForSingleObjectEx
0x468210 QueryPerformanceCounter
0x468214 EncodePointer
0x468218 DecodePointer
0x46821c MultiByteToWideChar
0x468220 CompareStringW
0x468224 LCMapStringW
0x468228 GetLocaleInfoW
0x46822c GetStringTypeW
0x468230 GetCPInfo
0x468234 SetEvent
0x468238 ResetEvent
0x46823c UnhandledExceptionFilter
0x468240 SetUnhandledExceptionFilter
0x468244 GetCurrentProcess
0x468248 TerminateProcess
0x46824c IsDebuggerPresent
0x468250 GetStartupInfoW
0x468254 GetCurrentProcessId
0x468258 InitializeSListHead
0x46825c CreateTimerQueue
0x468260 SignalObjectAndWait
0x468264 SetThreadPriority
0x468268 GetThreadPriority
0x46826c GetLogicalProcessorInformation
0x468270 CreateTimerQueueTimer
0x468274 ChangeTimerQueueTimer
0x468278 DeleteTimerQueueTimer
0x46827c GetNumaHighestNodeNumber
0x468280 GetProcessAffinityMask
0x468284 SetThreadAffinityMask
0x468288 RegisterWaitForSingleObject
0x46828c UnregisterWait
0x468290 GetCurrentThread
0x468294 GetThreadTimes
0x468298 FreeLibrary
0x46829c FreeLibraryAndExitThread
0x4682a0 GetModuleFileNameW
0x4682a4 LoadLibraryExW
0x4682a8 VirtualProtect
0x4682ac DuplicateHandle
0x4682b0 ReleaseSemaphore
0x4682b4 InterlockedPopEntrySList
0x4682b8 InterlockedPushEntrySList
0x4682bc WriteConsoleW
USER32.dll
0x4682d4 GetSystemMetrics
0x4682d8 ReleaseDC
0x4682dc GetDC
GDI32.dll
0x468048 CreateCompatibleBitmap
0x46804c SelectObject
0x468050 CreateCompatibleDC
0x468054 DeleteObject
0x468058 BitBlt
ADVAPI32.dll
0x468000 RevertToSelf
0x468004 RegCloseKey
0x468008 RegQueryInfoKeyW
0x46800c RegGetValueA
0x468010 RegQueryValueExA
0x468014 GetSidSubAuthorityCount
0x468018 GetSidSubAuthority
0x46801c GetUserNameA
0x468020 CreateProcessWithTokenW
0x468024 LookupAccountNameA
0x468028 ImpersonateLoggedOnUser
0x46802c RegSetValueExA
0x468030 OpenProcessToken
0x468034 RegOpenKeyExA
0x468038 RegEnumValueA
0x46803c DuplicateTokenEx
0x468040 GetSidIdentifierAuthority
SHELL32.dll
0x4682c4 SHGetFolderPathA
0x4682c8 ShellExecuteA
0x4682cc SHFileOperationA
ole32.dll
0x468364 CoUninitialize
0x468368 CoCreateInstance
0x46836c CoInitialize
WININET.dll
0x4682e4 HttpOpenRequestA
0x4682e8 InternetWriteFile
0x4682ec InternetOpenUrlA
0x4682f0 InternetOpenW
0x4682f4 HttpEndRequestW
0x4682f8 HttpAddRequestHeadersA
0x4682fc HttpSendRequestExA
0x468300 InternetOpenA
0x468304 InternetCloseHandle
0x468308 HttpSendRequestA
0x46830c InternetConnectA
0x468310 InternetReadFile
gdiplus.dll
0x468344 GdiplusStartup
0x468348 GdipSaveImageToFile
0x46834c GdipGetImageEncodersSize
0x468350 GdiplusShutdown
0x468354 GdipGetImageEncoders
0x468358 GdipCreateBitmapFromHBITMAP
0x46835c GdipDisposeImage
WS2_32.dll
0x468318 closesocket
0x46831c inet_pton
0x468320 getaddrinfo
0x468324 WSAStartup
0x468328 send
0x46832c socket
0x468330 connect
0x468334 recv
0x468338 htons
0x46833c freeaddrinfo
EAT(Export Address Table) is none