General
-
Target
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af
-
Size
391KB
-
Sample
240410-ngpv7sgh9t
-
MD5
19d257c7f63ff3dbf8b5ae26f2c1b45a
-
SHA1
dc84514dd1471efa7db9e34c43c6a60827dadad0
-
SHA256
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af
-
SHA512
7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb
-
SSDEEP
6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj
Static task
static1
Behavioral task
behavioral1
Sample
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe
Resource
win7-20240221-en
Malware Config
Extracted
amadey
3.21
http://185.215.113.204
-
install_dir
580e612ff0
-
install_file
bguuwe.exe
-
strings_key
11ae05ddf878fd8a904552f1e0be6ecb
-
url_paths
/Lkb2dxj3/index.php
Extracted
vidar
55.7
1827
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
http://116.202.2.1:80
-
profile_id
1827
Targets
-
-
Target
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af
-
Size
391KB
-
MD5
19d257c7f63ff3dbf8b5ae26f2c1b45a
-
SHA1
dc84514dd1471efa7db9e34c43c6a60827dadad0
-
SHA256
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af
-
SHA512
7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb
-
SSDEEP
6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-