Analyze a malware sample

This is a 16-bit Windows malware sample being analyzed using common procedure:

Highlights

Interesting findings include but are not limited to:

Anti-debugger technique#1: IsDebugPresent() check presence of user-mode debugger(stored in PEB::IsDebugged field), this condition leads to TerminateProcess():

Anti-debugger technique#2: GetProcAddress()+EncodePointer()+DecodePointer() obfuscates imported function calls using per-process secret, such as GetTickCount():
Anti-debugger technique#3: IsProcessorFeaturePresent(17h) checks __fastfail support before proceeding with immediate termination:

Anti-debugger technique#4: IsProcessorFeaturePresent(0Ah) checks SSE instruction set available and collect CPU ID info:

Anti-debugger technique#5: SetUnhandledExceptionFilter() + UnhandledExceptionFilter() check presence of debugger by replacing top-level exception handler for all threads. If executable is being debugged, then the custom handler will not be called, result in malware terminates the process:

Anti-debugger technique#6: SetLastError(code)+OutputDebugString() + GetLastError() check error code remaining condition to confirm debugger free:

Malicious COM scriptlet key and content:
Trojan get downloaded by Scriptlet using Msxml2.Server XMLHTTP, writes into C:\Users\admin\AppData\Local\Temp\

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
.github/workflows		.github/workflows
images		images
AMPTGRET.sct		AMPTGRET.sct
README.md		README.md
malware-sample.exe		malware-sample.exe