General
-
Target
db20217605fd77ce30f31679d516be35b46af0b3b3708d36b6fb09668fdc7aa8
-
Size
1.8MB
-
Sample
240328-lec3hsfa98
-
MD5
4eed0678749caf863bf4c1bb0bb37cab
-
SHA1
3f52561a743b506be41cb06a20ea517b5c91c558
-
SHA256
db20217605fd77ce30f31679d516be35b46af0b3b3708d36b6fb09668fdc7aa8
-
SHA512
0cea92e93a179812ff401dad1824efc665026d39f62ca993920442ddff12860f694383d7db0c38acd840ecd06432139fc26b6fbfec54637c45fd43d2b5db0e6a
-
SSDEEP
49152:R1khBK/lf/Mt8XA5B+jVsFtRN4M7UH9j3OPwgKQJ:R1XNf/MlP+KFt47j3OD
Static task
static1
Behavioral task
behavioral1
Sample
db20217605fd77ce30f31679d516be35b46af0b3b3708d36b6fb09668fdc7aa8.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Targets
-
-
Target
db20217605fd77ce30f31679d516be35b46af0b3b3708d36b6fb09668fdc7aa8
-
Size
1.8MB
-
MD5
4eed0678749caf863bf4c1bb0bb37cab
-
SHA1
3f52561a743b506be41cb06a20ea517b5c91c558
-
SHA256
db20217605fd77ce30f31679d516be35b46af0b3b3708d36b6fb09668fdc7aa8
-
SHA512
0cea92e93a179812ff401dad1824efc665026d39f62ca993920442ddff12860f694383d7db0c38acd840ecd06432139fc26b6fbfec54637c45fd43d2b5db0e6a
-
SSDEEP
49152:R1khBK/lf/Mt8XA5B+jVsFtRN4M7UH9j3OPwgKQJ:R1XNf/MlP+KFt47j3OD
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-