analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

amazongen.exe

Full analysis: https://app.any.run/tasks/3ee6e1a3-0a01-4984-926d-67474bcc8f11
Verdict: Malicious activity
Analysis date: May 20, 2022, 18:58:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

31322C4E4FCF9D56621479B4A4B8930A

SHA1:

B38551E9B1932295006533B80B302FBB013275D6

SHA256:

AEAD7D3C1FFCE1571A497646C0A9B844886DC538D731535648FB25C4BD949BDB

SSDEEP:

196608:YeBImcz64f4XzkneX38DXDQ9cGjtbYPvbJQlHHO2Sv3cIy88CN57Jmk9D2Izqh:amcz64Ay0MDTQ99jkJQlnhIlIqlO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • amazongen.exe (PID: 3396)

  • SUSPICIOUS

    • Checks supported languages

      • amazongen.exe (PID: 3396)

    • Reads the computer name

      • amazongen.exe (PID: 3396)

    • Executable content was dropped or overwritten

      • amazongen.exe (PID: 3396)

    • Drops a file with a compile date too recent

      • amazongen.exe (PID: 3396)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • amazongen.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x7a6a
UninitializedDataSize: -
InitializedDataSize: 172032
CodeSize: 128512
LinkerVersion: 14
PEType: PE32
TimeStamp: 2020:01:05 13:16:15+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 05-Jan-2020 12:16:15

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 05-Jan-2020 12:16:15
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001F4D4
0x0001F600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.6643
.rdata
0x00021000
0x0000B19E
0x0000B200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.11204
.data
0x0002D000
0x0000E680
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.93811
.gfids
0x0003C000
0x000000B8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.86299
.rsrc
0x0003D000
0x0000EA38
0x0000EC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.29706
.reloc
0x0004C000
0x000017D4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65456

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.58652
3752
UNKNOWN
UNKNOWN
RT_ICON
2
6.05629
2216
UNKNOWN
UNKNOWN
RT_ICON
3
5.5741
1384
UNKNOWN
UNKNOWN
RT_ICON
4
7.95079
37019
UNKNOWN
UNKNOWN
RT_ICON
5
5.29119
9640
UNKNOWN
UNKNOWN
RT_ICON
6
5.43869
4264
UNKNOWN
UNKNOWN
RT_ICON
7
5.89356
1128
UNKNOWN
UNKNOWN
RT_ICON
101
2.71858
104
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
WS2_32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start amazongen.exe

Process information

PID
CMD
Path
Indicators
Parent process
3396"C:\Users\admin\AppData\Local\Temp\amazongen.exe" C:\Users\admin\AppData\Local\Temp\amazongen.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
8
Read events
8
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
3
Text files
724
Unknown types
0

Dropped files

PID
Process
Filename
Type
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_bz2.pydexecutable
MD5:0F75C236C4CCFEA1B16F132F6C139236
SHA256:5DC26DCBF58CC7F5BFDEC0BADD5240D6724DB3E34010AAF35A31876FE4057158
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_cffi_backend.cp38-win32.pydexecutable
MD5:012DB6C90D38DB71D0647659217CA286
SHA256:4207E3276411F75A6680EAE28D7D5ED7F6CAD946B1DE7B724440F44593267414
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\VCRUNTIME140.dllexecutable
MD5:4C360F78DE1F5BAAA5F110E65FAC94B4
SHA256:AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_hashlib.pydexecutable
MD5:05362ADD80824B06014645A7951337D8
SHA256:20B3A3D3350B3D4D57911ECFDB15F77512A6E73C3BF72B410724F81C79A5B1AF
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_ssl.pydexecutable
MD5:B9ECF769FC63A542A113CA1552DC7A7B
SHA256:E0BDB16CFFC7B5A19C5AF22D8A33D3C999D55A3117F2DA07ED3171CA9487927E
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_queue.pydexecutable
MD5:BC5FCE7B8DE6CA765CBF79F9D0587164
SHA256:A5DB4D041F40FB01761B5BAA907099DB89CF891B0DF0251D92DA2FBF9DC3897B
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_multiprocessing.pydexecutable
MD5:8901E96BB7A8EEAD994AF2BDF54A2447
SHA256:823A96F080A3424F4C5327CF61FF517723E19A69679EBE93EA97061063D8D593
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_lzma.pydexecutable
MD5:54F12E2385A77D825AE4D41A4AC515FE
SHA256:08DE18FBA635822F3BB89C9429F175E3680B7261546430BA9E2ED09BB31F5218
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_decimal.pydexecutable
MD5:8601C853146A4BE85238A57C9FD56865
SHA256:2A57023D4F355E3857187C02577FA4641A4D1DFF195196B3C33B90322EDF9FD4
3396amazongen.exeC:\Users\admin\AppData\Local\Temp\_MEI33962\_asyncio.pydexecutable
MD5:5435CE08F40FBE43230CAE8D3DFF232C
SHA256:79FDA30CBFC95DB2BA60646FF53DFF45B5ADD57C12241C4A82FA798CB3B543DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
amazongen.exe