General
-
Target
362aadbd9dc628c321bc33892046b8c1.bin
-
Size
2.3MB
-
Sample
240630-b43pcsvgqj
-
MD5
57004232eb885d71f38a74ef61d6c096
-
SHA1
202213df94d2410141d778a74b97bf68e01f88ed
-
SHA256
d363eecdcdb2fb1ffc8b07973fe1411f1714db4b87a3bc4c5771cf5ca5a07dc2
-
SHA512
0578a29f6c24403201f888e6aa048ea8e31d53944765d1dc1de32a2cd2698d186589bb37b13a6eab060b57094b46f35948e7a9791b54150791317c094311e829
-
SSDEEP
49152:LweNG0Av2wJC4uZB2qOeBe9G5A8dzbKj5dlLQvEFDUOpcJp:kTSWuZlOeU9Gq0vECJp
Static task
static1
Behavioral task
behavioral1
Sample
11f5b01983cd221e28aa672906d313ca45dc0ed41f351602779590576104c52e.exe
Resource
win7-20240611-en
Malware Config
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Targets
-
-
Target
11f5b01983cd221e28aa672906d313ca45dc0ed41f351602779590576104c52e.exe
-
Size
2.3MB
-
MD5
362aadbd9dc628c321bc33892046b8c1
-
SHA1
f8831ff7c1fa70f4d56985b08daada57758c3171
-
SHA256
11f5b01983cd221e28aa672906d313ca45dc0ed41f351602779590576104c52e
-
SHA512
03a8100cd8cbd9a519e19922a1f29dfed84514b029e3e7dc6e6f76d45078deeb2703c074f8b8faaac9103302fc90a93d26a9302967f9b9c992b3ecd82437c9e9
-
SSDEEP
49152:Cy78p6FyspLM6JZID0V1/VvzkUrJyORGcR5cD/96lehH8kRyMx:x78k/pLV7IozClcPY/wsZ1Z
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-