General
-
Target
sBBw37vduNn9dfiK.ps1
-
Size
51KB
-
Sample
221129-g36yaadb63
-
MD5
5b2458844f93996d9756f9078291dda9
-
SHA1
c981f4fceb59827950b4111a4976b7d0dd53667a
-
SHA256
61528ae70c919687208659f7270d06dfb12f0bb5baccbc49fead7e9ab1a876f8
-
SHA512
bc51b6a5f81a7dcef185df10168c63a7b88d6f28e3340059cbae10b2579eedaa2a65e75a656e6ae23225d963bdc16225f27bf5907b3bbb44942f3bc0eb073bf2
-
SSDEEP
96:3I/dd1LUiNtmtlwxWotbYG97JbAIX480I4ghn4rezXQCCgZavZFkMs3LtVT9ck3x:3fO9
Static task
static1
Behavioral task
behavioral1
Sample
sBBw37vduNn9dfiK.ps1
Resource
win7-20220812-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1ogbCiwBaVXPjDHhV0GcZx3l_HoU1dbid
Extracted
amadey
3.50
77.73.134.68/hfk3vK9/index.php
Targets
-
-
Target
sBBw37vduNn9dfiK.ps1
-
Size
51KB
-
MD5
5b2458844f93996d9756f9078291dda9
-
SHA1
c981f4fceb59827950b4111a4976b7d0dd53667a
-
SHA256
61528ae70c919687208659f7270d06dfb12f0bb5baccbc49fead7e9ab1a876f8
-
SHA512
bc51b6a5f81a7dcef185df10168c63a7b88d6f28e3340059cbae10b2579eedaa2a65e75a656e6ae23225d963bdc16225f27bf5907b3bbb44942f3bc0eb073bf2
-
SSDEEP
96:3I/dd1LUiNtmtlwxWotbYG97JbAIX480I4ghn4rezXQCCgZavZFkMs3LtVT9ck3x:3fO9
-
Detect Amadey credential stealer module
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-