General
-
Target
356a724f59956fecf066f25a75a295b30bfb98207e0e71c4aaf917fa771251de
-
Size
104KB
-
Sample
221129-zx1s7aga76
-
MD5
8a3c83f840de566847fc41fa77f1c78a
-
SHA1
9b6088116d7dc9221f564dec0ae70ac4c98e618e
-
SHA256
05ee4dcd8bb8b29e243f46b0ae86766e346ff6d496ca54f96e3a14bc5aafe331
-
SHA512
7010361b0d6475c7dc8508c53cdd82c5e9eb926cfd9c7befb2e54f1aa288221f1c591f32b075e2099886cea88adba295a32f8bf5de239c49449ebcb75d62a014
-
SSDEEP
1536:8etyQUusrqUGc93l57r/j1py6jQkdrU6cXOHNGtEdVeBrr+C4ozjzoHfOCkE:9Ilfnl5bpjQABTSueBXRzqZkE
Static task
static1
Behavioral task
behavioral1
Sample
356a724f59956fecf066f25a75a295b30bfb98207e0e71c4aaf917fa771251de.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
356a724f59956fecf066f25a75a295b30bfb98207e0e71c4aaf917fa771251de.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
amadey
3.50
62.204.41.252/nB8cWack3/index.php
Extracted
vidar
56
1148
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
-
profile_id
1148
Targets
-
-
Target
356a724f59956fecf066f25a75a295b30bfb98207e0e71c4aaf917fa771251de
-
Size
146KB
-
MD5
d3ca1d2e2a38db7c2924aa6ba8f6b7c3
-
SHA1
efdd5aae4010ad1c9444df486baf03d7a21f91a9
-
SHA256
356a724f59956fecf066f25a75a295b30bfb98207e0e71c4aaf917fa771251de
-
SHA512
25a879d5cc4595eac49608c313b25b5b8772d46668ee7a724bec23ea8be6aef5077d956fe775a387c66183b478c09f58f2b24c4203361695a355b0f6a593274d
-
SSDEEP
3072:kr6/96rsuWn5xcfhm/9fyYLbB2KDhgw2Uk8bbHJp7m:n/Arsu1gfB2Uk87
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-