General
-
Target
7e7dedd4d35f8e4222cb170dd85293f796f48d2ba1eb07788debcab7260f8d8b
-
Size
401.5MB
-
Sample
221128-fpxl1sgd52
-
MD5
868f73e8879cab81af7296544785364b
-
SHA1
956886eadbdcba8d49eb6037a97dcbb317222efd
-
SHA256
7e7dedd4d35f8e4222cb170dd85293f796f48d2ba1eb07788debcab7260f8d8b
-
SHA512
0ba81ffbf7671d7f9a220b064d561c7fec5d9bea15ee3cf2ce66354a4ba8ebea8c9c424a2ecf7f6e01c477bb1e6165169657e9d58aee16d33bae88f9cc14a52f
-
SSDEEP
98304:+sn8Ly9joku2Wf6LoN8yNdZIb3IfBgY9ovZBeSM6j4qOQh:5uy5o4SanyxxHmvDa68qOQ
Static task
static1
Behavioral task
behavioral1
Sample
7e7dedd4d35f8e4222cb170dd85293f796f48d2ba1eb07788debcab7260f8d8b.exe
Resource
win7-20221111-en
Malware Config
Extracted
vidar
55.9
1707
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
-
profile_id
1707
Extracted
amadey
3.50
77.73.134.66/o7Vsjd3a2f/index.php
Targets
-
-
Target
7e7dedd4d35f8e4222cb170dd85293f796f48d2ba1eb07788debcab7260f8d8b
-
Size
401.5MB
-
MD5
868f73e8879cab81af7296544785364b
-
SHA1
956886eadbdcba8d49eb6037a97dcbb317222efd
-
SHA256
7e7dedd4d35f8e4222cb170dd85293f796f48d2ba1eb07788debcab7260f8d8b
-
SHA512
0ba81ffbf7671d7f9a220b064d561c7fec5d9bea15ee3cf2ce66354a4ba8ebea8c9c424a2ecf7f6e01c477bb1e6165169657e9d58aee16d33bae88f9cc14a52f
-
SSDEEP
98304:+sn8Ly9joku2Wf6LoN8yNdZIb3IfBgY9ovZBeSM6j4qOQh:5uy5o4SanyxxHmvDa68qOQ
-
Detect Amadey credential stealer module
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-