ScreenShot
| Created | 2025.05.04 12:56 | Machine | s1_win7_x6401 |
| Filename | amnew.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 56 detected (Malicious, score, Convagent, Doina, Unsafe, Save, confidence, 100%, Delf, Genus, Whispergate, high confidence, Amadey, MalwareX, kxcmvw, CLASSIC, Redcap, prxhe, MulDrop31, YXFEBZ, Real Protect, moderate, Static AI, Malicious PE, Deyma, Detected, Multiverze, Eldorado, R679980, Artemis, BScope, Genetic, PE04C9Z, Gajl, susgen) | ||
| md5 | 5757874c90b7195e09be379b05ac125f | ||
| sha256 | 5bfafd2f7b59fcb7bbf8827cd24061a450da4db6339d94ec51b3d8f3e55057cd | ||
| ssdeep | 6144:PiUuedoV3Fd31slcPGJHpnzB4v1IkpeZfkCw3uWgGUS/T+WiU+9OTA/ngQAOVmjw:PiUuedoV3Fd6l+spzq4kCweWgB789c | ||
| imphash | 1e7280afbf80c2800b272220ce0718da | ||
| impfuzzy | 96:8X+W8GjAlh55WJcpH+r26ptWrDZDGRgFBh1:8JaBWwZVh1 | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects VMWare through the in instruction feature |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process taren.exe |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | themida_packer | themida packer | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Amadey CnC Response
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Amadey CnC Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x44f05c CreateFileA
0x44f060 Process32FirstW
0x44f064 CloseHandle
0x44f068 GetSystemInfo
0x44f06c CreateThread
0x44f070 GetThreadContext
0x44f074 GetProcAddress
0x44f078 VirtualAllocEx
0x44f07c CreateToolhelp32Snapshot
0x44f080 Process32NextW
0x44f084 CreateProcessA
0x44f088 CreateDirectoryA
0x44f08c SetThreadContext
0x44f090 SetEndOfFile
0x44f094 HeapSize
0x44f098 GetProcessHeap
0x44f09c SetEnvironmentVariableW
0x44f0a0 Sleep
0x44f0a4 GetFileAttributesA
0x44f0a8 GetLastError
0x44f0ac Wow64RevertWow64FsRedirection
0x44f0b0 GetTempPathA
0x44f0b4 ReadProcessMemory
0x44f0b8 SetCurrentDirectoryA
0x44f0bc OpenProcess
0x44f0c0 GetModuleHandleA
0x44f0c4 ResumeThread
0x44f0c8 GetComputerNameExW
0x44f0cc GetVersionExW
0x44f0d0 WaitForSingleObject
0x44f0d4 CreateMutexA
0x44f0d8 PeekNamedPipe
0x44f0dc CreatePipe
0x44f0e0 VirtualAlloc
0x44f0e4 Wow64DisableWow64FsRedirection
0x44f0e8 WriteFile
0x44f0ec VirtualFree
0x44f0f0 SetHandleInformation
0x44f0f4 WriteProcessMemory
0x44f0f8 GetModuleFileNameA
0x44f0fc RemoveDirectoryA
0x44f100 ReadFile
0x44f104 FreeEnvironmentStringsW
0x44f108 GetEnvironmentStringsW
0x44f10c GetOEMCP
0x44f110 GetACP
0x44f114 IsValidCodePage
0x44f118 FindNextFileW
0x44f11c FindFirstFileExW
0x44f120 FindClose
0x44f124 GetTimeZoneInformation
0x44f128 HeapReAlloc
0x44f12c ReadConsoleW
0x44f130 SetStdHandle
0x44f134 GetFullPathNameW
0x44f138 GetCurrentDirectoryW
0x44f13c DeleteFileW
0x44f140 EnumSystemLocalesW
0x44f144 GetUserDefaultLCID
0x44f148 IsValidLocale
0x44f14c GetLocaleInfoW
0x44f150 LCMapStringW
0x44f154 CompareStringW
0x44f158 HeapAlloc
0x44f15c HeapFree
0x44f160 GetConsoleMode
0x44f164 GetConsoleOutputCP
0x44f168 FlushFileBuffers
0x44f16c SetFilePointerEx
0x44f170 GetFileSizeEx
0x44f174 GetCommandLineW
0x44f178 GetCommandLineA
0x44f17c GetStdHandle
0x44f180 GetModuleFileNameW
0x44f184 FileTimeToSystemTime
0x44f188 SystemTimeToTzSpecificLocalTime
0x44f18c GetFileType
0x44f190 GetFileInformationByHandle
0x44f194 GetDriveTypeW
0x44f198 RaiseException
0x44f19c GetCurrentThreadId
0x44f1a0 IsProcessorFeaturePresent
0x44f1a4 FreeLibraryWhenCallbackReturns
0x44f1a8 CreateThreadpoolWork
0x44f1ac SubmitThreadpoolWork
0x44f1b0 CloseThreadpoolWork
0x44f1b4 GetModuleHandleExW
0x44f1b8 InitializeConditionVariable
0x44f1bc WakeConditionVariable
0x44f1c0 WakeAllConditionVariable
0x44f1c4 SleepConditionVariableCS
0x44f1c8 SleepConditionVariableSRW
0x44f1cc InitOnceComplete
0x44f1d0 InitOnceBeginInitialize
0x44f1d4 InitializeSRWLock
0x44f1d8 ReleaseSRWLockExclusive
0x44f1dc AcquireSRWLockExclusive
0x44f1e0 EnterCriticalSection
0x44f1e4 LeaveCriticalSection
0x44f1e8 InitializeCriticalSectionEx
0x44f1ec TryEnterCriticalSection
0x44f1f0 DeleteCriticalSection
0x44f1f4 WaitForSingleObjectEx
0x44f1f8 QueryPerformanceCounter
0x44f1fc GetSystemTimeAsFileTime
0x44f200 GetModuleHandleW
0x44f204 EncodePointer
0x44f208 DecodePointer
0x44f20c MultiByteToWideChar
0x44f210 WideCharToMultiByte
0x44f214 LCMapStringEx
0x44f218 GetStringTypeW
0x44f21c GetCPInfo
0x44f220 InitializeCriticalSectionAndSpinCount
0x44f224 SetEvent
0x44f228 ResetEvent
0x44f22c CreateEventW
0x44f230 UnhandledExceptionFilter
0x44f234 SetUnhandledExceptionFilter
0x44f238 GetCurrentProcess
0x44f23c TerminateProcess
0x44f240 IsDebuggerPresent
0x44f244 GetStartupInfoW
0x44f248 GetCurrentProcessId
0x44f24c InitializeSListHead
0x44f250 RtlUnwind
0x44f254 SetLastError
0x44f258 TlsAlloc
0x44f25c TlsGetValue
0x44f260 TlsSetValue
0x44f264 TlsFree
0x44f268 FreeLibrary
0x44f26c LoadLibraryExW
0x44f270 ExitProcess
0x44f274 CreateFileW
0x44f278 WriteConsoleW
USER32.dll
0x44f290 GetSystemMetrics
0x44f294 ReleaseDC
0x44f298 GetDC
GDI32.dll
0x44f044 BitBlt
0x44f048 CreateCompatibleBitmap
0x44f04c SelectObject
0x44f050 CreateCompatibleDC
0x44f054 DeleteObject
ADVAPI32.dll
0x44f000 RevertToSelf
0x44f004 RegCloseKey
0x44f008 RegQueryInfoKeyW
0x44f00c RegGetValueA
0x44f010 RegQueryValueExA
0x44f014 GetSidSubAuthorityCount
0x44f018 GetSidSubAuthority
0x44f01c GetUserNameA
0x44f020 LookupAccountNameA
0x44f024 ImpersonateLoggedOnUser
0x44f028 RegSetValueExA
0x44f02c OpenProcessToken
0x44f030 RegOpenKeyExA
0x44f034 RegEnumValueA
0x44f038 DuplicateTokenEx
0x44f03c GetSidIdentifierAuthority
SHELL32.dll
0x44f280 SHGetFolderPathA
0x44f284 ShellExecuteA
0x44f288 SHFileOperationA
ole32.dll
0x44f320 CoUninitialize
0x44f324 CoCreateInstance
0x44f328 CoInitialize
WININET.dll
0x44f2a0 HttpOpenRequestA
0x44f2a4 InternetWriteFile
0x44f2a8 InternetOpenUrlA
0x44f2ac InternetOpenW
0x44f2b0 HttpEndRequestW
0x44f2b4 HttpAddRequestHeadersA
0x44f2b8 HttpSendRequestExA
0x44f2bc InternetOpenA
0x44f2c0 InternetCloseHandle
0x44f2c4 HttpSendRequestA
0x44f2c8 InternetConnectA
0x44f2cc InternetReadFile
gdiplus.dll
0x44f300 GdiplusStartup
0x44f304 GdipSaveImageToFile
0x44f308 GdipGetImageEncodersSize
0x44f30c GdiplusShutdown
0x44f310 GdipGetImageEncoders
0x44f314 GdipCreateBitmapFromHBITMAP
0x44f318 GdipDisposeImage
WS2_32.dll
0x44f2d4 closesocket
0x44f2d8 inet_pton
0x44f2dc getaddrinfo
0x44f2e0 WSAStartup
0x44f2e4 send
0x44f2e8 socket
0x44f2ec connect
0x44f2f0 recv
0x44f2f4 htons
0x44f2f8 freeaddrinfo
EAT(Export Address Table) is none
KERNEL32.dll
0x44f05c CreateFileA
0x44f060 Process32FirstW
0x44f064 CloseHandle
0x44f068 GetSystemInfo
0x44f06c CreateThread
0x44f070 GetThreadContext
0x44f074 GetProcAddress
0x44f078 VirtualAllocEx
0x44f07c CreateToolhelp32Snapshot
0x44f080 Process32NextW
0x44f084 CreateProcessA
0x44f088 CreateDirectoryA
0x44f08c SetThreadContext
0x44f090 SetEndOfFile
0x44f094 HeapSize
0x44f098 GetProcessHeap
0x44f09c SetEnvironmentVariableW
0x44f0a0 Sleep
0x44f0a4 GetFileAttributesA
0x44f0a8 GetLastError
0x44f0ac Wow64RevertWow64FsRedirection
0x44f0b0 GetTempPathA
0x44f0b4 ReadProcessMemory
0x44f0b8 SetCurrentDirectoryA
0x44f0bc OpenProcess
0x44f0c0 GetModuleHandleA
0x44f0c4 ResumeThread
0x44f0c8 GetComputerNameExW
0x44f0cc GetVersionExW
0x44f0d0 WaitForSingleObject
0x44f0d4 CreateMutexA
0x44f0d8 PeekNamedPipe
0x44f0dc CreatePipe
0x44f0e0 VirtualAlloc
0x44f0e4 Wow64DisableWow64FsRedirection
0x44f0e8 WriteFile
0x44f0ec VirtualFree
0x44f0f0 SetHandleInformation
0x44f0f4 WriteProcessMemory
0x44f0f8 GetModuleFileNameA
0x44f0fc RemoveDirectoryA
0x44f100 ReadFile
0x44f104 FreeEnvironmentStringsW
0x44f108 GetEnvironmentStringsW
0x44f10c GetOEMCP
0x44f110 GetACP
0x44f114 IsValidCodePage
0x44f118 FindNextFileW
0x44f11c FindFirstFileExW
0x44f120 FindClose
0x44f124 GetTimeZoneInformation
0x44f128 HeapReAlloc
0x44f12c ReadConsoleW
0x44f130 SetStdHandle
0x44f134 GetFullPathNameW
0x44f138 GetCurrentDirectoryW
0x44f13c DeleteFileW
0x44f140 EnumSystemLocalesW
0x44f144 GetUserDefaultLCID
0x44f148 IsValidLocale
0x44f14c GetLocaleInfoW
0x44f150 LCMapStringW
0x44f154 CompareStringW
0x44f158 HeapAlloc
0x44f15c HeapFree
0x44f160 GetConsoleMode
0x44f164 GetConsoleOutputCP
0x44f168 FlushFileBuffers
0x44f16c SetFilePointerEx
0x44f170 GetFileSizeEx
0x44f174 GetCommandLineW
0x44f178 GetCommandLineA
0x44f17c GetStdHandle
0x44f180 GetModuleFileNameW
0x44f184 FileTimeToSystemTime
0x44f188 SystemTimeToTzSpecificLocalTime
0x44f18c GetFileType
0x44f190 GetFileInformationByHandle
0x44f194 GetDriveTypeW
0x44f198 RaiseException
0x44f19c GetCurrentThreadId
0x44f1a0 IsProcessorFeaturePresent
0x44f1a4 FreeLibraryWhenCallbackReturns
0x44f1a8 CreateThreadpoolWork
0x44f1ac SubmitThreadpoolWork
0x44f1b0 CloseThreadpoolWork
0x44f1b4 GetModuleHandleExW
0x44f1b8 InitializeConditionVariable
0x44f1bc WakeConditionVariable
0x44f1c0 WakeAllConditionVariable
0x44f1c4 SleepConditionVariableCS
0x44f1c8 SleepConditionVariableSRW
0x44f1cc InitOnceComplete
0x44f1d0 InitOnceBeginInitialize
0x44f1d4 InitializeSRWLock
0x44f1d8 ReleaseSRWLockExclusive
0x44f1dc AcquireSRWLockExclusive
0x44f1e0 EnterCriticalSection
0x44f1e4 LeaveCriticalSection
0x44f1e8 InitializeCriticalSectionEx
0x44f1ec TryEnterCriticalSection
0x44f1f0 DeleteCriticalSection
0x44f1f4 WaitForSingleObjectEx
0x44f1f8 QueryPerformanceCounter
0x44f1fc GetSystemTimeAsFileTime
0x44f200 GetModuleHandleW
0x44f204 EncodePointer
0x44f208 DecodePointer
0x44f20c MultiByteToWideChar
0x44f210 WideCharToMultiByte
0x44f214 LCMapStringEx
0x44f218 GetStringTypeW
0x44f21c GetCPInfo
0x44f220 InitializeCriticalSectionAndSpinCount
0x44f224 SetEvent
0x44f228 ResetEvent
0x44f22c CreateEventW
0x44f230 UnhandledExceptionFilter
0x44f234 SetUnhandledExceptionFilter
0x44f238 GetCurrentProcess
0x44f23c TerminateProcess
0x44f240 IsDebuggerPresent
0x44f244 GetStartupInfoW
0x44f248 GetCurrentProcessId
0x44f24c InitializeSListHead
0x44f250 RtlUnwind
0x44f254 SetLastError
0x44f258 TlsAlloc
0x44f25c TlsGetValue
0x44f260 TlsSetValue
0x44f264 TlsFree
0x44f268 FreeLibrary
0x44f26c LoadLibraryExW
0x44f270 ExitProcess
0x44f274 CreateFileW
0x44f278 WriteConsoleW
USER32.dll
0x44f290 GetSystemMetrics
0x44f294 ReleaseDC
0x44f298 GetDC
GDI32.dll
0x44f044 BitBlt
0x44f048 CreateCompatibleBitmap
0x44f04c SelectObject
0x44f050 CreateCompatibleDC
0x44f054 DeleteObject
ADVAPI32.dll
0x44f000 RevertToSelf
0x44f004 RegCloseKey
0x44f008 RegQueryInfoKeyW
0x44f00c RegGetValueA
0x44f010 RegQueryValueExA
0x44f014 GetSidSubAuthorityCount
0x44f018 GetSidSubAuthority
0x44f01c GetUserNameA
0x44f020 LookupAccountNameA
0x44f024 ImpersonateLoggedOnUser
0x44f028 RegSetValueExA
0x44f02c OpenProcessToken
0x44f030 RegOpenKeyExA
0x44f034 RegEnumValueA
0x44f038 DuplicateTokenEx
0x44f03c GetSidIdentifierAuthority
SHELL32.dll
0x44f280 SHGetFolderPathA
0x44f284 ShellExecuteA
0x44f288 SHFileOperationA
ole32.dll
0x44f320 CoUninitialize
0x44f324 CoCreateInstance
0x44f328 CoInitialize
WININET.dll
0x44f2a0 HttpOpenRequestA
0x44f2a4 InternetWriteFile
0x44f2a8 InternetOpenUrlA
0x44f2ac InternetOpenW
0x44f2b0 HttpEndRequestW
0x44f2b4 HttpAddRequestHeadersA
0x44f2b8 HttpSendRequestExA
0x44f2bc InternetOpenA
0x44f2c0 InternetCloseHandle
0x44f2c4 HttpSendRequestA
0x44f2c8 InternetConnectA
0x44f2cc InternetReadFile
gdiplus.dll
0x44f300 GdiplusStartup
0x44f304 GdipSaveImageToFile
0x44f308 GdipGetImageEncodersSize
0x44f30c GdiplusShutdown
0x44f310 GdipGetImageEncoders
0x44f314 GdipCreateBitmapFromHBITMAP
0x44f318 GdipDisposeImage
WS2_32.dll
0x44f2d4 closesocket
0x44f2d8 inet_pton
0x44f2dc getaddrinfo
0x44f2e0 WSAStartup
0x44f2e4 send
0x44f2e8 socket
0x44f2ec connect
0x44f2f0 recv
0x44f2f4 htons
0x44f2f8 freeaddrinfo
EAT(Export Address Table) is none