D:\Mktmp\Amadey\Release\Amadey.pdb
Behavioral task
behavioral1
Sample
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe
-
Size
205KB
-
MD5
080084c285683066d6c5b41f76b3b430
-
SHA1
524b4631a18e977c93c474c09b32f806129d165c
-
SHA256
c4f30b93fd4341190482e6d81ac4bb149be4647dd994b0919e96c20312167004
-
SHA512
a8561a0edc32d4f5d28942cabd5b6c45b8c666bceb6a0a983e1a90f34f91894598a3c056ae5d29a6d3b4db560ac5b6ae469cd10ed118799c605b7c9df5570edd
-
SSDEEP
3072:CXkSckkHbzG1iXAt60p0zuNmnKG7peNMQbuZAItb2y3xfpT:8kSDAzG1iciuInRexuZAIvx
Malware Config
Extracted
amadey
3.84
2f2805
http://77.91.68.63
-
install_dir
200f691d32
-
install_file
rugen.exe
-
strings_key
e6ad3da56139a7f602e521090c482398
-
url_paths
/doma/net/index.php
Signatures
-
Amadey family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe
Files
-
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe.exe windows:6 windows x86 arch:x86
f8cc61ade86cb7277d0ab974de6323cb
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
kernel32
GetFileAttributesA
CreateFileA
CloseHandle
GetSystemInfo
CreateThread
HeapAlloc
GetThreadContext
GetProcAddress
VirtualAllocEx
LocalFree
GetLastError
ReadProcessMemory
GetProcessHeap
CreateProcessA
CreateDirectoryA
SetThreadContext
WriteConsoleW
ReadConsoleW
SetEndOfFile
SetFilePointerEx
GetTempPathA
Sleep
SetCurrentDirectoryA
GetModuleHandleA
GetComputerNameExW
ResumeThread
GetVersionExW
CreateMutexA
VirtualAlloc
WriteFile
VirtualFree
HeapFree
WriteProcessMemory
GetModuleFileNameA
RemoveDirectoryA
ReadFile
HeapReAlloc
HeapSize
GetTimeZoneInformation
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetStringTypeW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
WideCharToMultiByte
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
DeleteFileW
LCMapStringW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RaiseException
SetLastError
RtlUnwind
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetModuleFileNameW
GetStdHandle
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
CompareStringW
DecodePointer
advapi32
RegCloseKey
RegQueryValueExA
GetUserNameA
RegSetValueExA
RegOpenKeyExA
ConvertSidToStringSidW
GetUserNameW
LookupAccountNameW
shell32
SHGetFolderPathA
ShellExecuteA
ord680
SHFileOperationA
wininet
HttpOpenRequestA
InternetReadFile
InternetConnectA
HttpSendRequestA
InternetCloseHandle
InternetOpenA
InternetOpenW
InternetOpenUrlA
Sections
.text Size: 157KB - Virtual size: 157KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 31KB - Virtual size: 31KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 6KB - Virtual size: 9KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 512B - Virtual size: 480B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ