General
-
Target
240630-mqf4zswfne_pw_infected.zip
-
Size
1.8MB
-
Sample
240701-amhgestcqm
-
MD5
7b94a3c692eac925e2e2c774cdd3f346
-
SHA1
696d500c94dc93b0c44a3329c26f575639a11cff
-
SHA256
709d85d60d378cd15b7753ef5978ce64a2b7402e77acddcbc59346828777e45f
-
SHA512
aa1cd750de5cbae9b13be96adb0856e108791974c2b1e9b38bbdfdfd2a9e83aa13b3a62416bde9392df5e59a8c93c6bde2df0d3a374e6f8539f4b2938bd0c229
-
SSDEEP
49152:D/2VbRev5LqI2+3N2QUT/Y/Tf3QhI6/RK1HL:DeR+LL2SzctC6/RoL
Static task
static1
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Targets
-
-
Target
585dad4590d9a7722a93434b59d8c37a5d21ff9deb0d5fff0b242d8b8268db98
-
Size
1.8MB
-
MD5
908243a9511f16a9e6365cd83328b032
-
SHA1
9c5c9f3b75dac14e77303933c11df64e2649c5c1
-
SHA256
585dad4590d9a7722a93434b59d8c37a5d21ff9deb0d5fff0b242d8b8268db98
-
SHA512
0b601ae823a9d07b0e8a2250d7ab1ddf7779fedf4713521d3afca81a0bb0fba87bbe32d1aebc748d590639d20a407a84f025ecc5541cf2364c9588d871bb64da
-
SSDEEP
49152:RMhIGBD39f7f1bjW5Q0BzH4p6xbeOBbJAPI7e:RvGBD39LNa5Q0pA6xbtAPI
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-