amogus[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

amogus.exe
Size

20.2MB
MD5

386d88879d9c74996dcd96e62075133e
SHA1

a27e49c27138a358475e51c3144f35c3a2ee8737
SHA256

4c4fcee72003d73ba1db1653ea249cf48dc8d968e305f655f2ef9068fe7c4f6b
SHA512

7398f39e051ff1392981b103fc6a7124442618d19f75c77a5dc6c4d18c4dbd52c25245d5b96ae6aa11971aa837f7cba67c9542e87875cdbb53dbae8bdbcf27ce
SSDEEP

98304:pxbEEOFnRyuZBcmypCtRoBcyQ2mAB4LFw1mVETdiKIZYYP7WMe5uEBuH7idrj:pxbEEmBczpEucLzC4LitpiS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
amogus.exe

Files

amogus.exe
.exe windows:6 windows x64 arch:x64

Password: 1234sus

8a76bae162dffe5480ae99ebb5a870c5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\wgmlg\sussh\susser\target\debug\deps\amogus.pdb

Imports

kernel32

WriteConsoleW
CreateFileW
GetDiskFreeSpaceExW
GetExitCodeProcess
CreateProcessW
GlobalMemoryStatusEx
GetTickCount64
CreateEventA
GetLastError
CreateEventW
WaitForMultipleObjects
GetDriveTypeW
WaitForSingleObject
ReleaseSRWLockShared
AcquireSRWLockShared
SleepConditionVariableSRW
RegisterWaitForSingleObject
FreeEnvironmentStringsW
ReleaseMutex
FindClose
CompareStringOrdinal
AddVectoredExceptionHandler
SetThreadStackGuarantee
SwitchToThread
GetCurrentThread
RtlCaptureContext
RtlLookupFunctionEntry
GetCurrentDirectoryW
GetEnvironmentStringsW
GetEnvironmentVariableW
SetEnvironmentVariableW
GetLogicalProcessorInformationEx
OpenProcess
SetFilePointerEx
WriteFileEx
SleepEx
ReadFileEx
TerminateProcess
GetVolumeInformationW
WakeConditionVariable
QueryPerformanceCounter
QueryPerformanceFrequency
GetProcessHeap
HeapReAlloc
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetFileInformationByHandle
CreateDirectoryW
FindFirstFileW
DeleteFileW
MoveFileExW
GetFinalPathNameByHandleW
CopyFileExW
CancelIo
HeapAlloc
HeapFree
SystemTimeToFileTime
GetModuleHandleW
GetModuleFileNameW
ExitProcess
GetFullPathNameW
GetSystemDirectoryW
GetWindowsDirectoryW
GetFileAttributesW
MultiByteToWideChar
CreateThread
TlsGetValue
TlsSetValue
GetSystemTimeAsFileTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
GetFileInformationByHandleEx
DeviceIoControl
GetFileType
GetStdHandle
GetComputerNameExW
SetConsoleMode
GetLogicalDrives
GetConsoleMode
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
CloseHandle
TryAcquireSRWLockExclusive
GetCurrentProcessId
SetLastError
SetHandleInformation
LocalFree
CreateNamedPipeW
FormatMessageA
LoadLibraryExA
GetModuleFileNameA
FreeLibrary
FormatMessageW
WakeAllConditionVariable
GetProcAddress
GetModuleHandleA
Sleep
SetFileCompletionNotificationModes
GetProcessTimes
VirtualQueryEx
RtlVirtualUnwind
ReadProcessMemory
PostQueuedCompletionStatus
GetQueuedCompletionStatusEx
CreateIoCompletionPort
GetOverlappedResult
ReadFile
GetSystemTimes
GetProcessIoCounters
DuplicateHandle
GetCurrentProcess
UnregisterWaitEx
SetConsoleCtrlHandler
GetCommandLineW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentThreadId
GetSystemInfo
InitializeSListHead
IsDebuggerPresent
AttachConsole
ReleaseSRWLockExclusive
AcquireSRWLockExclusive

advapi32

RegCloseKey
CopySid
LookupAccountSidW
SystemFunction036
ConvertSidToStringSidW
GetTokenInformation
GetLengthSid
CreateWellKnownSid
IsWellKnownSid
CheckTokenMembership
DuplicateTokenEx
RegOpenKeyExW
RegQueryValueExW
IsValidSid
OpenProcessToken

secur32

AcceptSecurityContext
InitializeSecurityContextW
LsaFreeReturnBuffer
FreeContextBuffer
LsaEnumerateLogonSessions
AcquireCredentialsHandleA
QueryContextAttributesW
DeleteSecurityContext
DecryptMessage
EncryptMessage
LsaGetLogonSessionData
ApplyControlToken
FreeCredentialsHandle

crypt32

CertFreeCertificateContext
CertDuplicateCertificateContext
CertAddCertificateContextToStore
CertDuplicateCertificateChain
CertFreeCertificateChain
CertEnumCertificatesInStore
CertOpenStore
CertDuplicateStore
CertCloseStore
CertGetCertificateChain
CertVerifyCertificateChainPolicy

ws2_32

setsockopt
WSAIoctl
WSASend
send
recv
shutdown
getpeername
getsockname
accept
listen
connect
bind
WSASocketW
closesocket
ioctlsocket
getaddrinfo
freeaddrinfo
WSACleanup
WSAStartup
WSAGetLastError
socket
getsockopt

ole32

CoInitializeEx
CoSetProxyBlanket
CoInitializeSecurity
CoUninitialize
CoCreateInstance

oleaut32

VariantClear
SysFreeString
SysAllocString

iphlpapi

GetIfTable2
FreeMibTable
GetIfEntry2
GetIpForwardTable
GetAdaptersAddresses

psapi

GetPerformanceInfo
GetModuleFileNameExW

ntdll

RtlGetVersion
NtCreateFile
NtCancelIoFileEx
RtlNtStatusToDosError
NtDeviceIoControlFile
NtQueryInformationProcess
NtWriteFile
NtReadFile
NtQuerySystemInformation

pdh

PdhAddEnglishCounterW
PdhRemoveCounter
PdhCollectQueryDataEx
PdhCloseQuery
PdhOpenQueryA
PdhAddEnglishCounterA
PdhCollectQueryData
PdhGetFormattedCounterValue

powrprof

CallNtPowerInformation

shell32

CommandLineToArgvW

netapi32

NetUserGetInfo
NetApiBufferFree
NetUserGetLocalGroups
NetUserEnum

bcrypt

BCryptGenRandom

vcruntime140

memmove
__CxxFrameHandler3
memset
memcmp
strstr
strchr
memchr
strrchr
longjmp
_CxxThrowException
__C_specific_handler
__intrinsic_setjmp
__current_exception
__current_exception_context
memcpy

api-ms-win-crt-math-l1-1-0

pow
sinh
sin
floor
atan2
ldexp
__setusermatherr
sqrt
acos
tan
asin
tanh
log10
log
fmod
exp
cosh
cos
ceil
frexp

api-ms-win-crt-heap-l1-1-0

realloc
free
calloc
_set_new_mode
malloc

api-ms-win-crt-utility-l1-1-0

_byteswap_uint64
_rotl64
_byteswap_ulong
qsort

api-ms-win-crt-stdio-l1-1-0

fopen
fread
__p__commode
getc
_set_fmode
clearerr
_fseeki64
tmpnam
_ftelli64
_pclose
_popen
ferror
feof
tmpfile
__stdio_common_vsprintf
fgets
fclose
ungetc
fwrite
freopen
__acrt_iob_func
fflush
__stdio_common_vfprintf
setvbuf

api-ms-win-crt-time-l1-1-0

strftime
_mktime64
_localtime64
_gmtime64
_difftime64
clock
_time64

api-ms-win-crt-runtime-l1-1-0

system
exit
_wassert
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
_errno
_set_app_type
strerror
abort
_crt_atexit
terminate
_register_onexit_function
_initialize_onexit_table
__p___argc
__p___argv
_seh_filter_exe
_c_exit
_register_thread_local_exe_atexit_callback
_cexit

api-ms-win-crt-string-l1-1-0

iscntrl
isxdigit
strspn
wcslen
strpbrk
isspace
strcoll
isgraph
ispunct
islower
strlen
isupper
strncmp
isdigit
isalnum
toupper
isalpha
tolower

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
setlocale
localeconv

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-filesystem-l1-1-0

rename
remove

api-ms-win-crt-convert-l1-1-0

strtod

Sections

.text
Size: 15.2MB - Virtual size: 15.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.9MB - Virtual size: 3.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1001KB - Virtual size: 1001KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 1234sus

8a76bae162dffe5480ae99ebb5a870c5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

secur32

crypt32

ws2_32

ole32

oleaut32

iphlpapi

psapi

ntdll

pdh

powrprof

shell32

netapi32

bcrypt

vcruntime140

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

Sections

.text Size: 15.2MB - Virtual size: 15.2MB

.rdata Size: 3.9MB - Virtual size: 3.9MB

.data Size: 38KB - Virtual size: 40KB

.pdata Size: 1001KB - Virtual size: 1001KB

.reloc Size: 69KB - Virtual size: 69KB

.text
Size: 15.2MB - Virtual size: 15.2MB

.rdata
Size: 3.9MB - Virtual size: 3.9MB

.data
Size: 38KB - Virtual size: 40KB

.pdata
Size: 1001KB - Virtual size: 1001KB

.reloc
Size: 69KB - Virtual size: 69KB