General
-
Target
2abf87b5b526b9961ce83aa57edbb7f0
-
Size
1.8MB
-
Sample
240229-t25eaaee2s
-
MD5
2abf87b5b526b9961ce83aa57edbb7f0
-
SHA1
1c6ffecc15979ca9ccb0df93dc3657458f79903a
-
SHA256
08a228904dacbb9d8f658b629b5477b2b0af04a0e2286abaf4c50e71ef69f604
-
SHA512
4c76d98e94bda5be5b4a6d170cb20d6df41169ce572ffa9a7df1c42eb75ea8060fa21aca65542bef4e6893814c5ed72632c79b4177d8f33134650bbe9ceeb8f0
-
SSDEEP
49152:YPkUK3/z6tX2F1ft/3oOybwJJUCsP4+8C:skP8mFdt/Py0UC
Static task
static1
Behavioral task
behavioral1
Sample
2abf87b5b526b9961ce83aa57edbb7f0.exe
Resource
win7-20240221-en
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
lumma
https://executivebrakeji.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Targets
-
-
Target
2abf87b5b526b9961ce83aa57edbb7f0
-
Size
1.8MB
-
MD5
2abf87b5b526b9961ce83aa57edbb7f0
-
SHA1
1c6ffecc15979ca9ccb0df93dc3657458f79903a
-
SHA256
08a228904dacbb9d8f658b629b5477b2b0af04a0e2286abaf4c50e71ef69f604
-
SHA512
4c76d98e94bda5be5b4a6d170cb20d6df41169ce572ffa9a7df1c42eb75ea8060fa21aca65542bef4e6893814c5ed72632c79b4177d8f33134650bbe9ceeb8f0
-
SSDEEP
49152:YPkUK3/z6tX2F1ft/3oOybwJJUCsP4+8C:skP8mFdt/Py0UC
-
Detect binaries embedding considerable number of MFA browser extension IDs.
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with unregistered version of .NET Reactor
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-