am19.exe

First submission 2024-10-16 04:06:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	416.0 KB (425984 bytes)
Compile time:	2024-07-25 14:12:00
MD5:	d7e27b31e4e9fea544ad222cecb5338c
SHA1:	484f64323864bcf4326e63f8908f43192306856b
SHA256:	ba7570395a1adfa7dd22638402d994c2b36efb559d1a69ddc91503bb0b608839
Import Hash :	be0c2c50a71730b54474cda1c9b2928c
Sections 5	.text .rdata .data .rsrc .reloc
Directories 5	import resource debug tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	43/76 VT report date: 2024-10-16 03:39:14
Malware Type 3	trojan downloader dropper
Threat Type 3	doina amadey deyma

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://185.215.113.103/test/am19.exe	185.215.113.103	2024-10-16 04:06:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x4e5fa	321024	d5e8b0f92edd5c9ef5a828516464bf1672993111	247d40b35166287cb4b49509a208df50
.rdata	0x50000	0x11070	70144	2e92209b827cf0d1adc6e42d41a2ce4cdd4553ce	4b6f3708364fc7ce4e202f96f25a7b49
.data	0x62000	0x667c	13312	162885b464480b42b02021256030cd36a282ce73	0066d19dde9729444b5459eb9c2ea480
.rsrc	0x69000	0x1e0	512	26acb84785e1385f17fbf39b38ee67689ff74468	b7d16686b376821266a9345c26b7e6d6
.reloc	0x6a000	0x4c58	19968	91a30d6890fca54d9f873d8f0cab11e4058d4af2	b8416175415f0a3617cb949612d39195

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x69060	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x69060

381

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Library
api-ms-win-core-synch-l1-2-0.dll
AKERNEL32.dll
mscoree.dll
ADVAPI32.dll
combase.dll
SHELL32.dll
WININET.dll
WS2_32.dll
ntdll.dll
ole32.dll
KERNEL32.dll

Import functions

WININET.dll 8 SHELL32.dll 4 KERNEL32.dll 136 ADVAPI32.dll 11 ole32.dll 3 WS2_32.dll 10

Function	Address	Souspicious	Anti Debug
HttpOpenRequestA	0x450268
InternetOpenUrlA	0x45026c
InternetOpenW	0x450270
InternetOpenA	0x450274
InternetCloseHandle	0x450278
HttpSendRequestA	0x45027c
InternetConnectA	0x450280
InternetReadFile	0x450284

Function	Address	Souspicious	Anti Debug
SHGetFolderPathA	0x450254
ShellExecuteA	0x450258
None	0x45025c
SHFileOperationA	0x450260

Function	Address	Souspicious	Anti Debug
CreateThread	0x450030
GetLocalTime	0x450034
GetThreadContext	0x450038
GetProcAddress	0x45003c
VirtualAllocEx	0x450040
RemoveDirectoryA	0x450044
ReadProcessMemory	0x450048
GetSystemInfo	0x45004c
CreateDirectoryA	0x450050
SetThreadContext	0x450054
SetEndOfFile	0x450058
DecodePointer	0x45005c
ReadConsoleW	0x450060
HeapReAlloc	0x450064
HeapSize	0x450068
CloseHandle	0x45006c
CreateFileA	0x450070
GetFileAttributesA	0x450074
GetLastError	0x450078
Sleep	0x45007c
GetTempPathA	0x450080
SetCurrentDirectoryA	0x450084
GetModuleHandleA	0x450088
ResumeThread	0x45008c
GetComputerNameExW	0x450090
GetVersionExW	0x450094
CreateMutexA	0x450098
VirtualAlloc	0x45009c
WriteFile	0x4500a0
VirtualFree	0x4500a4
WriteProcessMemory	0x4500a8
GetModuleFileNameA	0x4500ac
CreateProcessA	0x4500b0
ReadFile	0x4500b4
GetTimeZoneInformation	0x4500b8
GetConsoleMode	0x4500bc
GetConsoleCP	0x4500c0
FlushFileBuffers	0x4500c4
GetStringTypeW	0x4500c8
GetProcessHeap	0x4500cc
SetEnvironmentVariableW	0x4500d0
FreeEnvironmentStringsW	0x4500d4
GetEnvironmentStringsW	0x4500d8
GetCPInfo	0x4500dc
GetOEMCP	0x4500e0
GetACP	0x4500e4
IsValidCodePage	0x4500e8
FindNextFileW	0x4500ec
FindFirstFileExW	0x4500f0
FindClose	0x4500f4
SetFilePointerEx	0x4500f8
SetStdHandle	0x4500fc
GetFullPathNameW	0x450100
GetCurrentDirectoryW	0x450104
DeleteFileW	0x450108
LCMapStringW	0x45010c
CompareStringW	0x450110
MultiByteToWideChar	0x450114
HeapAlloc	0x450118
HeapFree	0x45011c
GetCommandLineW	0x450120
GetCommandLineA	0x450124
GetStdHandle	0x450128
FileTimeToSystemTime	0x45012c
SystemTimeToTzSpecificLocalTime	0x450130
PeekNamedPipe	0x450134
GetFileType	0x450138
GetFileInformationByHandle	0x45013c
GetDriveTypeW	0x450140
RaiseException	0x450144
GetCurrentThreadId	0x450148
IsProcessorFeaturePresent	0x45014c
QueueUserWorkItem	0x450150
GetModuleHandleExW	0x450154
FormatMessageW	0x450158
WideCharToMultiByte	0x45015c
EnterCriticalSection	0x450160
LeaveCriticalSection	0x450164
TryEnterCriticalSection	0x450168
DeleteCriticalSection	0x45016c
SetLastError	0x450170
InitializeCriticalSectionAndSpinCount	0x450174
CreateEventW	0x450178
SwitchToThread	0x45017c
TlsAlloc	0x450180
TlsGetValue	0x450184
TlsSetValue	0x450188
TlsFree	0x45018c
GetSystemTimeAsFileTime	0x450190
GetTickCount	0x450194
GetModuleHandleW	0x450198
WaitForSingleObjectEx	0x45019c
QueryPerformanceCounter	0x4501a0
SetEvent	0x4501a4
ResetEvent	0x4501a8
UnhandledExceptionFilter	0x4501ac
SetUnhandledExceptionFilter	0x4501b0
GetCurrentProcess	0x4501b4
TerminateProcess	0x4501b8
IsDebuggerPresent	0x4501bc
GetStartupInfoW	0x4501c0
GetCurrentProcessId	0x4501c4
InitializeSListHead	0x4501c8
CreateTimerQueue	0x4501cc
SignalObjectAndWait	0x4501d0
SetThreadPriority	0x4501d4
GetThreadPriority	0x4501d8
GetLogicalProcessorInformation	0x4501dc
CreateTimerQueueTimer	0x4501e0
ChangeTimerQueueTimer	0x4501e4
DeleteTimerQueueTimer	0x4501e8
GetNumaHighestNodeNumber	0x4501ec
GetProcessAffinityMask	0x4501f0
SetThreadAffinityMask	0x4501f4
RegisterWaitForSingleObject	0x4501f8
UnregisterWait	0x4501fc
EncodePointer	0x450200
GetCurrentThread	0x450204
GetThreadTimes	0x450208
FreeLibrary	0x45020c
FreeLibraryAndExitThread	0x450210
GetModuleFileNameW	0x450214
LoadLibraryExW	0x450218
VirtualProtect	0x45021c
DuplicateHandle	0x450220
ReleaseSemaphore	0x450224
InterlockedPopEntrySList	0x450228
InterlockedPushEntrySList	0x45022c
InterlockedFlushSList	0x450230
QueryDepthSList	0x450234
UnregisterWaitEx	0x450238
LoadLibraryW	0x45023c
RtlUnwind	0x450240
ExitProcess	0x450244
CreateFileW	0x450248
WriteConsoleW	0x45024c

Function	Address	Souspicious	Anti Debug
RegCloseKey	0x450000
RegQueryInfoKeyW	0x450004
RegQueryValueExA	0x450008
GetSidSubAuthorityCount	0x45000c
GetSidSubAuthority	0x450010
GetUserNameA	0x450014
LookupAccountNameA	0x450018
RegSetValueExA	0x45001c
RegOpenKeyExA	0x450020
RegEnumValueW	0x450024
GetSidIdentifierAuthority	0x450028

Function	Address	Souspicious	Anti Debug
CoUninitialize	0x4502b8
CoCreateInstance	0x4502bc
CoInitialize	0x4502c0

Function	Address	Souspicious	Anti Debug
closesocket	0x45028c
inet_pton	0x450290
getaddrinfo	0x450294
WSAStartup	0x450298
send	0x45029c
socket	0x4502a0
connect	0x4502a4
recv	0x4502a8
htons	0x4502ac
freeaddrinfo	0x4502b0

Name	Latest seen	MD5
newwork.exe	2024-07-19 08:36:02	3764897fd08b8427b978fb099c091f71