General
-
Target
79fbd35cae4148d9053cd4590b6d41c0.bin
-
Size
1.8MB
-
Sample
240330-bv4v3aea5s
-
MD5
9de3dad179a7ded89330825c17641e3c
-
SHA1
87776c1de039a5d1c8968601f90891b15894c3b5
-
SHA256
314cfde234ae41e5316da82a97a6b3f4d77d6116726f8c710799bf491a7b7401
-
SHA512
be5f2811d127c588431a339e16afe3dcede4a38f823da2674134d717278ef5851cbd079285d060a469718536a8f86ff49645d18b0887c3d4025a6ee4e7a517b6
-
SSDEEP
49152:0GAi562I/Bf/8NbWp3nTOzbn1scjEwIWuk:b5jI/h0Nqp3n+b1hEwpr
Static task
static1
Behavioral task
behavioral1
Sample
9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe
Resource
win7-20240221-en
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Targets
-
-
Target
9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe
-
Size
1.8MB
-
MD5
79fbd35cae4148d9053cd4590b6d41c0
-
SHA1
3548d8fa1f242206447224068c16ffd30278ede3
-
SHA256
9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef
-
SHA512
babf970ee423976f68864c67d9ec7a0771be65465b4ea3c498fd9a9ab98f08124be2a0ec16f7952b237d27d778ef49ef9f48fe8ad66dd9a3f840ffc9a5658a40
-
SSDEEP
49152:rOixuZfOJofYPg+EevCu7OgYZkwtOc/Xe+vv:rOgIfOJosF/jYZk/cv
-
Glupteba payload
-
Modifies firewall policy service
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1