General
-
Target
6efcf42599a54f15f35185abb503518484c5d9ec544ff6f99c447796f357bc66
-
Size
1.8MB
-
Sample
240331-mmgaksac8z
-
MD5
9caf5244d003843057309135cdb9d779
-
SHA1
bb272cbb19752ab067a0cc9ad6ffc1e9b07443e1
-
SHA256
6efcf42599a54f15f35185abb503518484c5d9ec544ff6f99c447796f357bc66
-
SHA512
5af04ebefe733a8cf4ba8b070450faeb7239199bb0501bd3ad728dfb84845d806b80e0302c9b78baa09e9e589ae324b7234c369efc75e27529d192e36be64c49
-
SSDEEP
49152:7ROFRJONtAvbPMGVZdWAhTA8WUKDhrnKV5BvNzao/ky:7RibPMGVPPC8WdDZS5RNWos
Static task
static1
Behavioral task
behavioral1
Sample
6efcf42599a54f15f35185abb503518484c5d9ec544ff6f99c447796f357bc66.exe
Resource
win10v2004-20240319-en
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Targets
-
-
Target
6efcf42599a54f15f35185abb503518484c5d9ec544ff6f99c447796f357bc66
-
Size
1.8MB
-
MD5
9caf5244d003843057309135cdb9d779
-
SHA1
bb272cbb19752ab067a0cc9ad6ffc1e9b07443e1
-
SHA256
6efcf42599a54f15f35185abb503518484c5d9ec544ff6f99c447796f357bc66
-
SHA512
5af04ebefe733a8cf4ba8b070450faeb7239199bb0501bd3ad728dfb84845d806b80e0302c9b78baa09e9e589ae324b7234c369efc75e27529d192e36be64c49
-
SSDEEP
49152:7ROFRJONtAvbPMGVZdWAhTA8WUKDhrnKV5BvNzao/ky:7RibPMGVPPC8WdDZS5RNWos
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-