Windows Analysis Report
DocumentoSENAMHI20222103.exe

Overview

General Information

Sample Name: DocumentoSENAMHI20222103.exe
Analysis ID: 593268
MD5: 81ba3d2de48272d692c4e6604e6b1db9
SHA1: 921e7008881d5e0e9a788ee310ddef60b343c647
SHA256: eef5ae48384a5c5dff5d4c7b1a768c4eb1fe5d3df0347c85c9c1b404327dbba9
Tags: AveMariaRATexeRAT
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Initial sample is a PE file and has a suspicious name
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DocumentoSENAMHI20222103.exe ReversingLabs: Detection: 16%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.DocumentoSENAMHI20222103.exe.150000.0.unpack Avira: Label: ADWARE/Adware.Gen8
Source: 0.0.DocumentoSENAMHI20222103.exe.150000.0.unpack Avira: Label: ADWARE/Adware.Gen8
Uses 32bit PE files
Source: DocumentoSENAMHI20222103.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DocumentoSENAMHI20222103.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: DocumentoSENAMHI20222103.exe
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_0015A22B FindFirstFileExW, 0_2_0015A22B
Creates a DirectInput object (often for capturing keystrokes)
Source: DocumentoSENAMHI20222103.exe, 00000000.00000002.923038668.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DocumentoSENAMHI20222103.exe
Uses 32bit PE files
Source: DocumentoSENAMHI20222103.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Sample file is different than original file name gathered from version info
Source: DocumentoSENAMHI20222103.exe, 00000000.00000002.921896034.0000000000293000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMultiRead.EXEB vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe Binary or memory string: OriginalFilenameMultiRead.EXEB vs DocumentoSENAMHI20222103.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_0015FA9C 0_2_0015FA9C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: String function: 00154730 appears 34 times
Source: DocumentoSENAMHI20222103.exe ReversingLabs: Detection: 16%
Source: DocumentoSENAMHI20222103.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_00151B39 __EH_prolog3_catch_GS,__alloca_probe_16,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary, 0_2_00151B39
Source: classification engine Classification label: mal56.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_001514A2 CoCreateInstance, 0_2_001514A2
Source: DocumentoSENAMHI20222103.exe Static file information: File size 1320960 > 1048576
Source: DocumentoSENAMHI20222103.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x129400
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: DocumentoSENAMHI20222103.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_001601B1 push ecx; ret 0_2_001601C4
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe API coverage: 3.6 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_001571A3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 0_2_001571A3
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_0015A22B FindFirstFileExW, 0_2_0015A22B

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_00154959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00154959
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_00157B8E mov eax, dword ptr fs:[00000030h] 0_2_00157B8E
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_00159DF6 mov eax, dword ptr fs:[00000030h] 0_2_00159DF6
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_001571A3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C 0_2_001571A3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_0015B2B8 GetProcessHeap, 0_2_0015B2B8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_00154AEF SetUnhandledExceptionFilter, 0_2_00154AEF
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_00154959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00154959
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_001542DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_001542DA
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_001572E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001572E0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_00154775 cpuid 0_2_00154775
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 0_2_00154BDE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00154BDE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593268 Sample: DocumentoSENAMHI20222103.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 56 8 Multi AV Scanner detection for submitted file 2->8 10 Initial sample is a PE file and has a suspicious name 2->10 5 DocumentoSENAMHI20222103.exe 2->5         started        process3 signatures4 12 Found potential dummy code loops (likely to delay analysis) 5->12
No contacted IP infos