General
-
Target
4aa184f3d403f654d3f8f95c4d0ab3808bce53a4404974e0e67b9406fcae9074
-
Size
1.8MB
-
Sample
240326-2vpz1shd7x
-
MD5
e17c58a27f3a3370da51fc0de68349cf
-
SHA1
ba28aef2cc70999fe31fb185457ba4584fb7206b
-
SHA256
4aa184f3d403f654d3f8f95c4d0ab3808bce53a4404974e0e67b9406fcae9074
-
SHA512
5dd1da7df60727b6e87d0a49599f6d03238237c7dfb9a3801e4c014bce9d4c8ab92f6d4d877a752f61a2f165f637ef64918a96397a87a5b779dd0f21eac87c1a
-
SSDEEP
49152:3owuakco8AEoyhy6rUDK7kb8i+4nr/lF:lLA819sfb8TArdF
Static task
static1
Behavioral task
behavioral1
Sample
4aa184f3d403f654d3f8f95c4d0ab3808bce53a4404974e0e67b9406fcae9074.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Targets
-
-
Target
4aa184f3d403f654d3f8f95c4d0ab3808bce53a4404974e0e67b9406fcae9074
-
Size
1.8MB
-
MD5
e17c58a27f3a3370da51fc0de68349cf
-
SHA1
ba28aef2cc70999fe31fb185457ba4584fb7206b
-
SHA256
4aa184f3d403f654d3f8f95c4d0ab3808bce53a4404974e0e67b9406fcae9074
-
SHA512
5dd1da7df60727b6e87d0a49599f6d03238237c7dfb9a3801e4c014bce9d4c8ab92f6d4d877a752f61a2f165f637ef64918a96397a87a5b779dd0f21eac87c1a
-
SSDEEP
49152:3owuakco8AEoyhy6rUDK7kb8i+4nr/lF:lLA819sfb8TArdF
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-