General
-
Target
85616aee4378a829d366178f044da0c8.exe
-
Size
4.3MB
-
Sample
221127-pp2emsgd73
-
MD5
85616aee4378a829d366178f044da0c8
-
SHA1
eaad647ae0ac3681fc1fceb224e6f986234e3978
-
SHA256
71ee360efd0c5763ed9799acb28286af193392d18416535eec639cc7a4a258eb
-
SHA512
72be226b6751a90d810e282c0504f82c15b8c320da301ffff822f24602088e6f3b1b29116da61c9228a3958d873754c4cb23469a28219fe17f4326eda4935a43
-
SSDEEP
98304:om9vCApJPC8/VaFW3HKAPM8Njel8kLX4tkmTT6t:omZZpJPCwsFkhrN6/yzSt
Static task
static1
Behavioral task
behavioral1
Sample
85616aee4378a829d366178f044da0c8.exe
Resource
win7-20220901-en
Malware Config
Extracted
vidar
55.9
1707
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
-
profile_id
1707
Extracted
amadey
3.50
77.73.134.66/o7Vsjd3a2f/index.php
Targets
-
-
Target
85616aee4378a829d366178f044da0c8.exe
-
Size
4.3MB
-
MD5
85616aee4378a829d366178f044da0c8
-
SHA1
eaad647ae0ac3681fc1fceb224e6f986234e3978
-
SHA256
71ee360efd0c5763ed9799acb28286af193392d18416535eec639cc7a4a258eb
-
SHA512
72be226b6751a90d810e282c0504f82c15b8c320da301ffff822f24602088e6f3b1b29116da61c9228a3958d873754c4cb23469a28219fe17f4326eda4935a43
-
SSDEEP
98304:om9vCApJPC8/VaFW3HKAPM8Njel8kLX4tkmTT6t:omZZpJPCwsFkhrN6/yzSt
-
Detect Amadey credential stealer module
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-