General
-
Target
0e920697f02451a346d4b68164c630e1.bin
-
Size
651KB
-
Sample
230630-bc5dwaff94
-
MD5
7db8bf1613665fc84dd3b3d3333f55c8
-
SHA1
969bb0d3f44531117ff53b76bba5f348332388eb
-
SHA256
8f40a4c0a5492d2a8bf645ab1e5f399ca4b2c20e59374ed6f4490ce5525db691
-
SHA512
42c30070d1d8318e86a3b127a24071ac57b751e93e84df768b6b8a32d88214fef4bffb862b49df8da097264f340ba393304f03be286d973852fbee50d4c11c44
-
SSDEEP
12288:itkciRqQcrImN9/IkvCR7C0mCFFWfsj3Oz75GtLhlJDK2vdM+S4+c627N6ouGGw:bX4df/hWC0VFokCzAxDhKkS4+yXuq
Static task
static1
Behavioral task
behavioral1
Sample
c79d5c1b10a3c1959755ab98a2c097c00544e6f42e108df002f48cf2d9d9baa8.exe
Resource
win7-20230621-en
Malware Config
Extracted
amadey
3.83
62.182.156.152/so57Nst/index.php
Extracted
systembc
5.42.65.67:4298
localhost.exchange:4298
Targets
-
-
Target
c79d5c1b10a3c1959755ab98a2c097c00544e6f42e108df002f48cf2d9d9baa8.exe
-
Size
1.4MB
-
MD5
0e920697f02451a346d4b68164c630e1
-
SHA1
8dbde48176b60305aad6db2a0b3a180223d9f538
-
SHA256
c79d5c1b10a3c1959755ab98a2c097c00544e6f42e108df002f48cf2d9d9baa8
-
SHA512
7339d9dc208b04782ba03da7b9104834777c69f2e08f9b419fca324a6808a141a04cea2daa75fd738d06ffa2d0faf123bacfdaedb40333842e93e32840dab7c2
-
SSDEEP
24576:EhZDSdKu3HdjN4STH/EFaeN5CJ7FR5fuudV3+nLyo85f4Qy:EhZGd/jN4STH/UfCJBR5mudV3+nLyo8e
-
SectopRAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-