Behavioral task
behavioral1
Sample
f50c34273870841df335fa73d1cd9c2acb9de70e4ed77dabfcc9eb98dcff9b54.exe
Resource
win7-20240221-en
General
-
Target
7631744f38037f6f9cf0e5de0457596dd8c952ff6f88bca44861a6285d83634f
-
Size
202KB
-
MD5
14d18fafe75ced280249b0d5cfb6a23e
-
SHA1
f815bf22125ca912be5461eff027a9de6f0c4e63
-
SHA256
7631744f38037f6f9cf0e5de0457596dd8c952ff6f88bca44861a6285d83634f
-
SHA512
5a0c57fd35eb528ebcdde523564188a003b95dd8c50a910dc8005d7d6f1a9a3878313526cfaddf4a9eb94396b2aa7f99467af375ee56cae3a8bf5f45ecf44274
-
SSDEEP
6144:hYtYG6hPtk6QSnMXh0h6c1eoyXBHkyqBE6CU1JX6Tsnk:yR6HMRW9nyxHkyqBB1Jqwnk
Malware Config
Extracted
amadey
4.17
http://5.42.64.4
-
install_dir
a0b3b7d4a5
-
install_file
Dctooux.exe
-
strings_key
be8779cf0e6231090471d1ca85ec4a38
-
url_paths
/jPdsj3d4M/index.php
Signatures
-
Amadey family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/f50c34273870841df335fa73d1cd9c2acb9de70e4ed77dabfcc9eb98dcff9b54.exe
Files
-
7631744f38037f6f9cf0e5de0457596dd8c952ff6f88bca44861a6285d83634f.zip
Password: infected
-
f50c34273870841df335fa73d1cd9c2acb9de70e4ed77dabfcc9eb98dcff9b54.exe.exe windows:6 windows x86 arch:x86
7cb9aa2297e5fe3e1ffa772b481cce9b
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
CloseHandle
GetSystemInfo
CreateThread
GetLocalTime
GetThreadContext
GetProcAddress
VirtualAllocEx
RemoveDirectoryA
CreateFileA
CreateProcessA
CreateDirectoryA
SetThreadContext
SetEndOfFile
DecodePointer
ReadConsoleW
HeapReAlloc
HeapSize
GetFileAttributesA
GetLastError
GetTempPathA
Sleep
GetModuleHandleA
SetCurrentDirectoryA
ResumeThread
GetComputerNameExW
GetVersionExW
CreateMutexA
VirtualAlloc
WriteFile
VirtualFree
WriteProcessMemory
GetModuleFileNameA
ReadProcessMemory
ReadFile
GetTimeZoneInformation
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetStringTypeW
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
SetFilePointerEx
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
DeleteFileW
LCMapStringW
CompareStringW
MultiByteToWideChar
HeapAlloc
HeapFree
GetCommandLineW
GetCommandLineA
GetStdHandle
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileType
GetFileInformationByHandle
GetDriveTypeW
RaiseException
GetCurrentThreadId
IsProcessorFeaturePresent
QueueUserWorkItem
GetModuleHandleExW
FormatMessageW
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
GetModuleHandleW
WaitForSingleObjectEx
QueryPerformanceCounter
SetEvent
ResetEvent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
CreateTimerQueue
SignalObjectAndWait
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
EncodePointer
GetCurrentThread
GetThreadTimes
FreeLibrary
FreeLibraryAndExitThread
GetModuleFileNameW
LoadLibraryExW
VirtualProtect
DuplicateHandle
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
RtlUnwind
ExitProcess
CreateFileW
WriteConsoleW
advapi32
RegCloseKey
RegQueryValueExA
GetSidSubAuthorityCount
GetSidSubAuthority
GetUserNameA
LookupAccountNameA
RegSetValueExA
RegOpenKeyExA
GetSidIdentifierAuthority
shell32
SHGetFolderPathA
ShellExecuteA
ord680
SHFileOperationA
ole32
CoUninitialize
CoCreateInstance
CoInitialize
wininet
HttpOpenRequestA
InternetOpenUrlA
InternetOpenW
InternetOpenA
InternetCloseHandle
HttpSendRequestA
InternetConnectA
InternetReadFile
ws2_32
closesocket
inet_pton
getaddrinfo
WSAStartup
send
socket
connect
recv
htons
freeaddrinfo
Sections
.text Size: 303KB - Virtual size: 302KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 68KB - Virtual size: 68KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 12KB - Virtual size: 17KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 512B - Virtual size: 480B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 19KB - Virtual size: 18KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ