General
-
Target
b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438
-
Size
322KB
-
Sample
221207-y33z3aba6t
-
MD5
85f6fe679a04868dd03c5af77360df58
-
SHA1
26c330194913ef9ef367ee17d3389ff71a6d08cf
-
SHA256
b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438
-
SHA512
03336f8f6d2ffc3ffa8e1a51c2a703c1fbfdb520dce36261079097407c16993a2cc0fb5c27e953513097c7c3f73ce04e9604cbd741b48d50b1917b4e7c2b8475
-
SSDEEP
6144:40sZlbXLNtuuL6oBOf8Im7WfI1O3tE/uilf:40sZlbHuuL6oBq8DyfI1Mel
Static task
static1
Malware Config
Extracted
amadey
3.50
62.204.41.6/p9cWxH/index.php
Extracted
socelars
https://hdbywe.s3.us-west-2.amazonaws.com/sauydga27/
Targets
-
-
Target
b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438
-
Size
322KB
-
MD5
85f6fe679a04868dd03c5af77360df58
-
SHA1
26c330194913ef9ef367ee17d3389ff71a6d08cf
-
SHA256
b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438
-
SHA512
03336f8f6d2ffc3ffa8e1a51c2a703c1fbfdb520dce36261079097407c16993a2cc0fb5c27e953513097c7c3f73ce04e9604cbd741b48d50b1917b4e7c2b8475
-
SSDEEP
6144:40sZlbXLNtuuL6oBOf8Im7WfI1O3tE/uilf:40sZlbHuuL6oBq8DyfI1Mel
-
Detect Amadey credential stealer module
-
Socelars payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-