General
-
Target
e8c4379ee73b0b86122eea40ea81bc9751fbbad8ec55931092996fa64ab32876
-
Size
222KB
-
Sample
221117-xbbwtsbb8s
-
MD5
b327946a722dd6a3e8ace5ba14748b55
-
SHA1
069145204cb7ea46268556c7379b043980df7f81
-
SHA256
e8c4379ee73b0b86122eea40ea81bc9751fbbad8ec55931092996fa64ab32876
-
SHA512
c00eb0b5c26fd2b8a441b2cf31d1a503005fade3c74072ede9a8a29d48496dccee31976461a10f119fc262541c66aa56b5ea0321b1b149bea768a854b06e6f60
-
SSDEEP
3072:wMc16Vt+m4RgByu5XHCFKaWURQCdSJpOoXQi3+kopw3j2aPS9lzZ29gD:wf6wRgIKaWURYr3Qp8S9l0
Static task
static1
Behavioral task
behavioral1
Sample
e8c4379ee73b0b86122eea40ea81bc9751fbbad8ec55931092996fa64ab32876.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Extracted
raccoon
d8f44b07b06da3a90ad87ebc9249718c
http://79.137.205.87/
Targets
-
-
Target
e8c4379ee73b0b86122eea40ea81bc9751fbbad8ec55931092996fa64ab32876
-
Size
222KB
-
MD5
b327946a722dd6a3e8ace5ba14748b55
-
SHA1
069145204cb7ea46268556c7379b043980df7f81
-
SHA256
e8c4379ee73b0b86122eea40ea81bc9751fbbad8ec55931092996fa64ab32876
-
SHA512
c00eb0b5c26fd2b8a441b2cf31d1a503005fade3c74072ede9a8a29d48496dccee31976461a10f119fc262541c66aa56b5ea0321b1b149bea768a854b06e6f60
-
SSDEEP
3072:wMc16Vt+m4RgByu5XHCFKaWURQCdSJpOoXQi3+kopw3j2aPS9lzZ29gD:wf6wRgIKaWURYr3Qp8S9l0
-
Detect Amadey credential stealer module
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-