DigitalSide Threat Intel

madey.exe

First submission 2024-10-15 17:53:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 549.0 KB (562176 bytes)
Compile time: 2024-10-09 14:37:21
MD5: 689ff816fc3db38894e81abbdf63c02b
SHA1: aceb8ce81d4724d77a1b3031015f6e60d1139352
SHA256: f2ebbd96f7cf19aa8cc8b1273d1f80169de93ac4dde951ff4547177a11010945
Import Hash : 91d1583dab6f50e9cc35b0dbf587fb1f
Sections 5 .text .rdata .data .rsrc .reloc
Directories 5 import resource debug tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 51/77 VT report date: 2024-10-11 11:14:51
Malware Type 2 trojan downloader
Threat Type 3 amadey zusy deyma

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://shopping-nice.com/files/madey.exe VirusTotal Report shopping-nice.com VirusTotal Report 2024-10-15 17:53:02

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x66292 418816 1fed8e96be773099d26ce580ebe6ec4d2f80d7a6 2a70a11d9a43b02b291920aa110febe6
.rdata 0x68000 0x1913e 102912 f7c1e4252dad5d8f8f6ee26c73d4102b05abf8cd 936fd796e0e393fb4948f4dadf8e936c
.data 0x82000 0x7c34 14336 e9c6bb7bd3f8cef8b822dfc7c726733de7332512 f22e261e21cd109e9874c76c2fcae315
.rsrc 0x8a000 0x1e0 512 7a47eb909928898bd871e80e9e8519ab0406bb49 e2d2f7647d61a156924612e95904ad1f
.reloc 0x8b000 0x5ff0 24576 e7fa9481341e34919b676f8b051770a8279a1d9f d937d458e0c1ae681285b05342fea117

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x8a060 381

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 8

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Library
api-ms-win-core-synch-l1-2-0.dll
Bkernel32.dll
mscoree.dll
combase.dll
ADVAPI32.dll
SHELL32.dll
WININET.dll
WS2_32.dll
USER32.dll
gdiplus.dll
ntdll.dll
ole32.dll
GDI32.dll
KERNEL32.dll

Import functions

Function Address Souspicious Anti Debug
GdiplusStartup 0x468344
GdipSaveImageToFile 0x468348
GdipGetImageEncodersSize 0x46834c
GdiplusShutdown 0x468350
GdipGetImageEncoders 0x468354
GdipCreateBitmapFromHBITMAP 0x468358
GdipDisposeImage 0x46835c
Function Address Souspicious Anti Debug
HttpOpenRequestA 0x4682e4
InternetWriteFile 0x4682e8
InternetOpenUrlA 0x4682ec
InternetOpenW 0x4682f0
HttpEndRequestW 0x4682f4
HttpAddRequestHeadersA 0x4682f8
HttpSendRequestExA 0x4682fc
InternetOpenA 0x468300
InternetCloseHandle 0x468304
HttpSendRequestA 0x468308
InternetConnectA 0x46830c
InternetReadFile 0x468310
Function Address Souspicious Anti Debug
CreateCompatibleBitmap 0x468048
SelectObject 0x46804c
CreateCompatibleDC 0x468050
DeleteObject 0x468054
BitBlt 0x468058
Function Address Souspicious Anti Debug
SHGetFolderPathA 0x4682c4
ShellExecuteA 0x4682c8
SHFileOperationA 0x4682cc
Function Address Souspicious Anti Debug
GetFileAttributesA 0x468060
Process32NextW 0x468064
CreateFileA 0x468068
Process32FirstW 0x46806c
CloseHandle 0x468070
GetSystemInfo 0x468074
CreateThread 0x468078
GetLocalTime 0x46807c
GetThreadContext 0x468080
GetProcAddress 0x468084
GetLastError 0x468088
RemoveDirectoryA 0x46808c
ReadProcessMemory 0x468090
CreateProcessA 0x468094
CreateDirectoryA 0x468098
SetThreadContext 0x46809c
SetEndOfFile 0x4680a0
HeapSize 0x4680a4
GetProcessHeap 0x4680a8
SetEnvironmentVariableW 0x4680ac
FreeEnvironmentStringsW 0x4680b0
Wow64RevertWow64FsRedirection 0x4680b4
GetTempPathA 0x4680b8
Sleep 0x4680bc
CreateToolhelp32Snapshot 0x4680c0
OpenProcess 0x4680c4
SetCurrentDirectoryA 0x4680c8
GetModuleHandleA 0x4680cc
ResumeThread 0x4680d0
GetComputerNameExW 0x4680d4
GetVersionExW 0x4680d8
WaitForSingleObject 0x4680dc
CreateMutexA 0x4680e0
FindClose 0x4680e4
PeekNamedPipe 0x4680e8
CreatePipe 0x4680ec
FindNextFileA 0x4680f0
VirtualAlloc 0x4680f4
Wow64DisableWow64FsRedirection 0x4680f8
WriteFile 0x4680fc
VirtualFree 0x468100
FindFirstFileA 0x468104
SetHandleInformation 0x468108
WriteProcessMemory 0x46810c
GetModuleFileNameA 0x468110
VirtualAllocEx 0x468114
ReadFile 0x468118
GetEnvironmentStringsW 0x46811c
GetOEMCP 0x468120
GetACP 0x468124
IsValidCodePage 0x468128
FindNextFileW 0x46812c
FindFirstFileExW 0x468130
GetTimeZoneInformation 0x468134
HeapReAlloc 0x468138
ReadConsoleW 0x46813c
SetStdHandle 0x468140
GetFullPathNameW 0x468144
GetCurrentDirectoryW 0x468148
DeleteFileW 0x46814c
EnumSystemLocalesW 0x468150
GetUserDefaultLCID 0x468154
IsValidLocale 0x468158
HeapAlloc 0x46815c
HeapFree 0x468160
GetConsoleMode 0x468164
GetConsoleCP 0x468168
FlushFileBuffers 0x46816c
SetFilePointerEx 0x468170
GetFileSizeEx 0x468174
GetCommandLineW 0x468178
GetCommandLineA 0x46817c
GetStdHandle 0x468180
FileTimeToSystemTime 0x468184
SystemTimeToTzSpecificLocalTime 0x468188
GetFileType 0x46818c
GetFileInformationByHandle 0x468190
GetDriveTypeW 0x468194
CreateFileW 0x468198
ExitProcess 0x46819c
RtlUnwind 0x4681a0
LoadLibraryW 0x4681a4
UnregisterWaitEx 0x4681a8
QueryDepthSList 0x4681ac
InterlockedFlushSList 0x4681b0
RaiseException 0x4681b4
GetCurrentThreadId 0x4681b8
IsProcessorFeaturePresent 0x4681bc
QueueUserWorkItem 0x4681c0
GetModuleHandleExW 0x4681c4
FormatMessageW 0x4681c8
WideCharToMultiByte 0x4681cc
EnterCriticalSection 0x4681d0
LeaveCriticalSection 0x4681d4
TryEnterCriticalSection 0x4681d8
DeleteCriticalSection 0x4681dc
SetLastError 0x4681e0
InitializeCriticalSectionAndSpinCount 0x4681e4
CreateEventW 0x4681e8
SwitchToThread 0x4681ec
TlsAlloc 0x4681f0
TlsGetValue 0x4681f4
TlsSetValue 0x4681f8
TlsFree 0x4681fc
GetSystemTimeAsFileTime 0x468200
GetTickCount 0x468204
GetModuleHandleW 0x468208
WaitForSingleObjectEx 0x46820c
QueryPerformanceCounter 0x468210
EncodePointer 0x468214
DecodePointer 0x468218
MultiByteToWideChar 0x46821c
CompareStringW 0x468220
LCMapStringW 0x468224
GetLocaleInfoW 0x468228
GetStringTypeW 0x46822c
GetCPInfo 0x468230
SetEvent 0x468234
ResetEvent 0x468238
UnhandledExceptionFilter 0x46823c
SetUnhandledExceptionFilter 0x468240
GetCurrentProcess 0x468244
TerminateProcess 0x468248
IsDebuggerPresent 0x46824c
GetStartupInfoW 0x468250
GetCurrentProcessId 0x468254
InitializeSListHead 0x468258
CreateTimerQueue 0x46825c
SignalObjectAndWait 0x468260
SetThreadPriority 0x468264
GetThreadPriority 0x468268
GetLogicalProcessorInformation 0x46826c
CreateTimerQueueTimer 0x468270
ChangeTimerQueueTimer 0x468274
DeleteTimerQueueTimer 0x468278
GetNumaHighestNodeNumber 0x46827c
GetProcessAffinityMask 0x468280
SetThreadAffinityMask 0x468284
RegisterWaitForSingleObject 0x468288
UnregisterWait 0x46828c
GetCurrentThread 0x468290
GetThreadTimes 0x468294
FreeLibrary 0x468298
FreeLibraryAndExitThread 0x46829c
GetModuleFileNameW 0x4682a0
LoadLibraryExW 0x4682a4
VirtualProtect 0x4682a8
DuplicateHandle 0x4682ac
ReleaseSemaphore 0x4682b0
InterlockedPopEntrySList 0x4682b4
InterlockedPushEntrySList 0x4682b8
WriteConsoleW 0x4682bc
Function Address Souspicious Anti Debug
RevertToSelf 0x468000
RegCloseKey 0x468004
RegQueryInfoKeyW 0x468008
RegGetValueA 0x46800c
RegQueryValueExA 0x468010
GetSidSubAuthorityCount 0x468014
GetSidSubAuthority 0x468018
GetUserNameA 0x46801c
CreateProcessWithTokenW 0x468020
LookupAccountNameA 0x468024
ImpersonateLoggedOnUser 0x468028
RegSetValueExA 0x46802c
OpenProcessToken 0x468030
RegOpenKeyExA 0x468034
RegEnumValueA 0x468038
DuplicateTokenEx 0x46803c
GetSidIdentifierAuthority 0x468040
Function Address Souspicious Anti Debug
CoUninitialize 0x468364
CoCreateInstance 0x468368
CoInitialize 0x46836c
Function Address Souspicious Anti Debug
closesocket 0x468318
inet_pton 0x46831c
getaddrinfo 0x468320
WSAStartup 0x468324
send 0x468328
socket 0x46832c
connect 0x468330
recv 0x468334
htons 0x468338
freeaddrinfo 0x46833c
Function Address Souspicious Anti Debug
GetSystemMetrics 0x4682d4
ReleaseDC 0x4682d8
GetDC 0x4682dc