ScreenShot
| Created | 2025.02.11 10:54 | Machine | s1_win7_x6401 |
| Filename | amnew.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 59 detected (AIDetectMalware, Amadey, Malicious, score, Doina, Unsafe, confidence, 100%, Delf, Genus, Attribute, HighConfidence, high confidence, Deyma, kvmljn, CLOUD, Redcap, zvzjx, MulDrop29, Real Protect, moderate, Static AI, Malicious PE, Detected, Sabsik, Wacatac, Eldorado, R679980, Artemis, BScope, Gencirc, jitKLDU60xo, susgen) | ||
| md5 | 22892b8303fa56f4b584a04c09d508d8 | ||
| sha256 | 87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f | ||
| ssdeep | 6144:e/RCey1AxsmF1cQxQ3KcTN3Wz40v1fwb6prdotQ6g0MQYSE2/H9yQ+iT5gc7AOEp:e/RCey1AxsmUQ63NmjyQ6g0MQYZc7Qb | ||
| imphash | 738a9f5d52d683b5b6a4ba77d2da72af | ||
| impfuzzy | 96:2XHD5GjAlw55WJcpH+r26ptWrDZsGRgFBh1:2IayWwZih1 | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x45105c GetLastError
0x451060 GetFileAttributesA
0x451064 Process32NextW
0x451068 CreateFileA
0x45106c Process32FirstW
0x451070 CloseHandle
0x451074 GetSystemInfo
0x451078 CreateThread
0x45107c GetThreadContext
0x451080 GetProcAddress
0x451084 Wow64RevertWow64FsRedirection
0x451088 RemoveDirectoryA
0x45108c ReadProcessMemory
0x451090 CreateProcessA
0x451094 CreateDirectoryA
0x451098 SetThreadContext
0x45109c SetEndOfFile
0x4510a0 HeapSize
0x4510a4 GetProcessHeap
0x4510a8 SetEnvironmentVariableW
0x4510ac GetTempPathA
0x4510b0 Sleep
0x4510b4 CreateToolhelp32Snapshot
0x4510b8 SetCurrentDirectoryA
0x4510bc GetModuleHandleA
0x4510c0 OpenProcess
0x4510c4 ResumeThread
0x4510c8 GetComputerNameExW
0x4510cc GetVersionExW
0x4510d0 WaitForSingleObject
0x4510d4 CreateMutexA
0x4510d8 FindClose
0x4510dc PeekNamedPipe
0x4510e0 CreatePipe
0x4510e4 FindNextFileA
0x4510e8 VirtualAlloc
0x4510ec Wow64DisableWow64FsRedirection
0x4510f0 WriteFile
0x4510f4 VirtualFree
0x4510f8 FindFirstFileA
0x4510fc SetHandleInformation
0x451100 WriteProcessMemory
0x451104 GetModuleFileNameA
0x451108 VirtualAllocEx
0x45110c ReadFile
0x451110 FreeEnvironmentStringsW
0x451114 GetEnvironmentStringsW
0x451118 GetOEMCP
0x45111c GetACP
0x451120 IsValidCodePage
0x451124 FindNextFileW
0x451128 FindFirstFileExW
0x45112c GetTimeZoneInformation
0x451130 HeapReAlloc
0x451134 ReadConsoleW
0x451138 SetStdHandle
0x45113c GetFullPathNameW
0x451140 GetCurrentDirectoryW
0x451144 DeleteFileW
0x451148 EnumSystemLocalesW
0x45114c GetUserDefaultLCID
0x451150 IsValidLocale
0x451154 GetLocaleInfoW
0x451158 LCMapStringW
0x45115c CompareStringW
0x451160 HeapAlloc
0x451164 HeapFree
0x451168 GetConsoleMode
0x45116c GetConsoleOutputCP
0x451170 FlushFileBuffers
0x451174 SetFilePointerEx
0x451178 GetFileSizeEx
0x45117c GetCommandLineW
0x451180 GetCommandLineA
0x451184 GetStdHandle
0x451188 GetModuleFileNameW
0x45118c FileTimeToSystemTime
0x451190 SystemTimeToTzSpecificLocalTime
0x451194 GetFileType
0x451198 GetFileInformationByHandle
0x45119c GetDriveTypeW
0x4511a0 CreateFileW
0x4511a4 RaiseException
0x4511a8 GetCurrentThreadId
0x4511ac IsProcessorFeaturePresent
0x4511b0 FreeLibraryWhenCallbackReturns
0x4511b4 CreateThreadpoolWork
0x4511b8 SubmitThreadpoolWork
0x4511bc CloseThreadpoolWork
0x4511c0 GetModuleHandleExW
0x4511c4 InitializeConditionVariable
0x4511c8 WakeConditionVariable
0x4511cc WakeAllConditionVariable
0x4511d0 SleepConditionVariableCS
0x4511d4 SleepConditionVariableSRW
0x4511d8 InitOnceComplete
0x4511dc InitOnceBeginInitialize
0x4511e0 InitializeSRWLock
0x4511e4 ReleaseSRWLockExclusive
0x4511e8 AcquireSRWLockExclusive
0x4511ec EnterCriticalSection
0x4511f0 LeaveCriticalSection
0x4511f4 InitializeCriticalSectionEx
0x4511f8 TryEnterCriticalSection
0x4511fc DeleteCriticalSection
0x451200 WaitForSingleObjectEx
0x451204 QueryPerformanceCounter
0x451208 GetSystemTimeAsFileTime
0x45120c GetModuleHandleW
0x451210 EncodePointer
0x451214 DecodePointer
0x451218 MultiByteToWideChar
0x45121c WideCharToMultiByte
0x451220 LCMapStringEx
0x451224 GetStringTypeW
0x451228 GetCPInfo
0x45122c InitializeCriticalSectionAndSpinCount
0x451230 SetEvent
0x451234 ResetEvent
0x451238 CreateEventW
0x45123c UnhandledExceptionFilter
0x451240 SetUnhandledExceptionFilter
0x451244 GetCurrentProcess
0x451248 TerminateProcess
0x45124c IsDebuggerPresent
0x451250 GetStartupInfoW
0x451254 GetCurrentProcessId
0x451258 InitializeSListHead
0x45125c RtlUnwind
0x451260 SetLastError
0x451264 TlsAlloc
0x451268 TlsGetValue
0x45126c TlsSetValue
0x451270 TlsFree
0x451274 FreeLibrary
0x451278 LoadLibraryExW
0x45127c ExitProcess
0x451280 WriteConsoleW
USER32.dll
0x451298 GetSystemMetrics
0x45129c ReleaseDC
0x4512a0 GetDC
GDI32.dll
0x451044 CreateCompatibleBitmap
0x451048 SelectObject
0x45104c CreateCompatibleDC
0x451050 DeleteObject
0x451054 BitBlt
ADVAPI32.dll
0x451000 RevertToSelf
0x451004 RegCloseKey
0x451008 RegQueryInfoKeyW
0x45100c RegGetValueA
0x451010 RegQueryValueExA
0x451014 GetSidSubAuthorityCount
0x451018 GetSidSubAuthority
0x45101c GetUserNameA
0x451020 LookupAccountNameA
0x451024 ImpersonateLoggedOnUser
0x451028 RegSetValueExA
0x45102c OpenProcessToken
0x451030 RegOpenKeyExA
0x451034 RegEnumValueA
0x451038 DuplicateTokenEx
0x45103c GetSidIdentifierAuthority
SHELL32.dll
0x451288 SHGetFolderPathA
0x45128c ShellExecuteA
0x451290 SHFileOperationA
ole32.dll
0x451328 CoUninitialize
0x45132c CoCreateInstance
0x451330 CoInitialize
WININET.dll
0x4512a8 HttpOpenRequestA
0x4512ac InternetWriteFile
0x4512b0 InternetOpenUrlA
0x4512b4 InternetOpenW
0x4512b8 HttpEndRequestW
0x4512bc HttpAddRequestHeadersA
0x4512c0 HttpSendRequestExA
0x4512c4 InternetOpenA
0x4512c8 InternetCloseHandle
0x4512cc HttpSendRequestA
0x4512d0 InternetConnectA
0x4512d4 InternetReadFile
gdiplus.dll
0x451308 GdiplusStartup
0x45130c GdipSaveImageToFile
0x451310 GdipGetImageEncodersSize
0x451314 GdiplusShutdown
0x451318 GdipGetImageEncoders
0x45131c GdipCreateBitmapFromHBITMAP
0x451320 GdipDisposeImage
WS2_32.dll
0x4512dc closesocket
0x4512e0 inet_pton
0x4512e4 getaddrinfo
0x4512e8 WSAStartup
0x4512ec send
0x4512f0 socket
0x4512f4 connect
0x4512f8 recv
0x4512fc htons
0x451300 freeaddrinfo
EAT(Export Address Table) is none
KERNEL32.dll
0x45105c GetLastError
0x451060 GetFileAttributesA
0x451064 Process32NextW
0x451068 CreateFileA
0x45106c Process32FirstW
0x451070 CloseHandle
0x451074 GetSystemInfo
0x451078 CreateThread
0x45107c GetThreadContext
0x451080 GetProcAddress
0x451084 Wow64RevertWow64FsRedirection
0x451088 RemoveDirectoryA
0x45108c ReadProcessMemory
0x451090 CreateProcessA
0x451094 CreateDirectoryA
0x451098 SetThreadContext
0x45109c SetEndOfFile
0x4510a0 HeapSize
0x4510a4 GetProcessHeap
0x4510a8 SetEnvironmentVariableW
0x4510ac GetTempPathA
0x4510b0 Sleep
0x4510b4 CreateToolhelp32Snapshot
0x4510b8 SetCurrentDirectoryA
0x4510bc GetModuleHandleA
0x4510c0 OpenProcess
0x4510c4 ResumeThread
0x4510c8 GetComputerNameExW
0x4510cc GetVersionExW
0x4510d0 WaitForSingleObject
0x4510d4 CreateMutexA
0x4510d8 FindClose
0x4510dc PeekNamedPipe
0x4510e0 CreatePipe
0x4510e4 FindNextFileA
0x4510e8 VirtualAlloc
0x4510ec Wow64DisableWow64FsRedirection
0x4510f0 WriteFile
0x4510f4 VirtualFree
0x4510f8 FindFirstFileA
0x4510fc SetHandleInformation
0x451100 WriteProcessMemory
0x451104 GetModuleFileNameA
0x451108 VirtualAllocEx
0x45110c ReadFile
0x451110 FreeEnvironmentStringsW
0x451114 GetEnvironmentStringsW
0x451118 GetOEMCP
0x45111c GetACP
0x451120 IsValidCodePage
0x451124 FindNextFileW
0x451128 FindFirstFileExW
0x45112c GetTimeZoneInformation
0x451130 HeapReAlloc
0x451134 ReadConsoleW
0x451138 SetStdHandle
0x45113c GetFullPathNameW
0x451140 GetCurrentDirectoryW
0x451144 DeleteFileW
0x451148 EnumSystemLocalesW
0x45114c GetUserDefaultLCID
0x451150 IsValidLocale
0x451154 GetLocaleInfoW
0x451158 LCMapStringW
0x45115c CompareStringW
0x451160 HeapAlloc
0x451164 HeapFree
0x451168 GetConsoleMode
0x45116c GetConsoleOutputCP
0x451170 FlushFileBuffers
0x451174 SetFilePointerEx
0x451178 GetFileSizeEx
0x45117c GetCommandLineW
0x451180 GetCommandLineA
0x451184 GetStdHandle
0x451188 GetModuleFileNameW
0x45118c FileTimeToSystemTime
0x451190 SystemTimeToTzSpecificLocalTime
0x451194 GetFileType
0x451198 GetFileInformationByHandle
0x45119c GetDriveTypeW
0x4511a0 CreateFileW
0x4511a4 RaiseException
0x4511a8 GetCurrentThreadId
0x4511ac IsProcessorFeaturePresent
0x4511b0 FreeLibraryWhenCallbackReturns
0x4511b4 CreateThreadpoolWork
0x4511b8 SubmitThreadpoolWork
0x4511bc CloseThreadpoolWork
0x4511c0 GetModuleHandleExW
0x4511c4 InitializeConditionVariable
0x4511c8 WakeConditionVariable
0x4511cc WakeAllConditionVariable
0x4511d0 SleepConditionVariableCS
0x4511d4 SleepConditionVariableSRW
0x4511d8 InitOnceComplete
0x4511dc InitOnceBeginInitialize
0x4511e0 InitializeSRWLock
0x4511e4 ReleaseSRWLockExclusive
0x4511e8 AcquireSRWLockExclusive
0x4511ec EnterCriticalSection
0x4511f0 LeaveCriticalSection
0x4511f4 InitializeCriticalSectionEx
0x4511f8 TryEnterCriticalSection
0x4511fc DeleteCriticalSection
0x451200 WaitForSingleObjectEx
0x451204 QueryPerformanceCounter
0x451208 GetSystemTimeAsFileTime
0x45120c GetModuleHandleW
0x451210 EncodePointer
0x451214 DecodePointer
0x451218 MultiByteToWideChar
0x45121c WideCharToMultiByte
0x451220 LCMapStringEx
0x451224 GetStringTypeW
0x451228 GetCPInfo
0x45122c InitializeCriticalSectionAndSpinCount
0x451230 SetEvent
0x451234 ResetEvent
0x451238 CreateEventW
0x45123c UnhandledExceptionFilter
0x451240 SetUnhandledExceptionFilter
0x451244 GetCurrentProcess
0x451248 TerminateProcess
0x45124c IsDebuggerPresent
0x451250 GetStartupInfoW
0x451254 GetCurrentProcessId
0x451258 InitializeSListHead
0x45125c RtlUnwind
0x451260 SetLastError
0x451264 TlsAlloc
0x451268 TlsGetValue
0x45126c TlsSetValue
0x451270 TlsFree
0x451274 FreeLibrary
0x451278 LoadLibraryExW
0x45127c ExitProcess
0x451280 WriteConsoleW
USER32.dll
0x451298 GetSystemMetrics
0x45129c ReleaseDC
0x4512a0 GetDC
GDI32.dll
0x451044 CreateCompatibleBitmap
0x451048 SelectObject
0x45104c CreateCompatibleDC
0x451050 DeleteObject
0x451054 BitBlt
ADVAPI32.dll
0x451000 RevertToSelf
0x451004 RegCloseKey
0x451008 RegQueryInfoKeyW
0x45100c RegGetValueA
0x451010 RegQueryValueExA
0x451014 GetSidSubAuthorityCount
0x451018 GetSidSubAuthority
0x45101c GetUserNameA
0x451020 LookupAccountNameA
0x451024 ImpersonateLoggedOnUser
0x451028 RegSetValueExA
0x45102c OpenProcessToken
0x451030 RegOpenKeyExA
0x451034 RegEnumValueA
0x451038 DuplicateTokenEx
0x45103c GetSidIdentifierAuthority
SHELL32.dll
0x451288 SHGetFolderPathA
0x45128c ShellExecuteA
0x451290 SHFileOperationA
ole32.dll
0x451328 CoUninitialize
0x45132c CoCreateInstance
0x451330 CoInitialize
WININET.dll
0x4512a8 HttpOpenRequestA
0x4512ac InternetWriteFile
0x4512b0 InternetOpenUrlA
0x4512b4 InternetOpenW
0x4512b8 HttpEndRequestW
0x4512bc HttpAddRequestHeadersA
0x4512c0 HttpSendRequestExA
0x4512c4 InternetOpenA
0x4512c8 InternetCloseHandle
0x4512cc HttpSendRequestA
0x4512d0 InternetConnectA
0x4512d4 InternetReadFile
gdiplus.dll
0x451308 GdiplusStartup
0x45130c GdipSaveImageToFile
0x451310 GdipGetImageEncodersSize
0x451314 GdiplusShutdown
0x451318 GdipGetImageEncoders
0x45131c GdipCreateBitmapFromHBITMAP
0x451320 GdipDisposeImage
WS2_32.dll
0x4512dc closesocket
0x4512e0 inet_pton
0x4512e4 getaddrinfo
0x4512e8 WSAStartup
0x4512ec send
0x4512f0 socket
0x4512f4 connect
0x4512f8 recv
0x4512fc htons
0x451300 freeaddrinfo
EAT(Export Address Table) is none