General
-
Target
6ca6e4645a223dcca12ff92e3667c641bd98f1888afde4b5b4ffa41f68c3b913
-
Size
1.8MB
-
Sample
240328-adfapsbf7y
-
MD5
690c77dfe862a07815aeca8d0a5bc95b
-
SHA1
0aa098c9020746ed6f743dee201fb8b3c8d00682
-
SHA256
6ca6e4645a223dcca12ff92e3667c641bd98f1888afde4b5b4ffa41f68c3b913
-
SHA512
81de21c1ffe1b03943bc5a620345e6d8043b1afe8d26aca7546e5464505360b9ba3710442d349e1078a9f3befe7ccb499eb8fc434df26be09d3972d20d73a7e0
-
SSDEEP
49152:ThtkV1biDyFIvrvcO7HsjkwJsZNs0Z5cG41EKm:HGJJu7ceHHHNH5L41a
Static task
static1
Behavioral task
behavioral1
Sample
6ca6e4645a223dcca12ff92e3667c641bd98f1888afde4b5b4ffa41f68c3b913.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Targets
-
-
Target
6ca6e4645a223dcca12ff92e3667c641bd98f1888afde4b5b4ffa41f68c3b913
-
Size
1.8MB
-
MD5
690c77dfe862a07815aeca8d0a5bc95b
-
SHA1
0aa098c9020746ed6f743dee201fb8b3c8d00682
-
SHA256
6ca6e4645a223dcca12ff92e3667c641bd98f1888afde4b5b4ffa41f68c3b913
-
SHA512
81de21c1ffe1b03943bc5a620345e6d8043b1afe8d26aca7546e5464505360b9ba3710442d349e1078a9f3befe7ccb499eb8fc434df26be09d3972d20d73a7e0
-
SSDEEP
49152:ThtkV1biDyFIvrvcO7HsjkwJsZNs0Z5cG41EKm:HGJJu7ceHHHNH5L41a
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-