General
-
Target
f5c5868e39d55bece500b45cf3071198be195e09d84160c4c9476cc927c9eecb
-
Size
2.9MB
-
Sample
240412-sas2habd42
-
MD5
42e74f2a78f9c09f8133b4a6ee972f0d
-
SHA1
85e1cedcec3a4ccdc81055bde6968caf3d44a72b
-
SHA256
f5c5868e39d55bece500b45cf3071198be195e09d84160c4c9476cc927c9eecb
-
SHA512
d213261eeb425f5d5e417cce49d0ea6d939b101d869a0e2e9c12fa8df917a5e1b6ab4b13cf10da559c150f1196662e443ec7c3b7d9616c8bd9c36be546283b12
-
SSDEEP
49152:NeLa/F45AuHF/+M41QE+SPP8T+Gu2HRrKFs/:E+/F45Nx+M43+SXqjud
Static task
static1
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Targets
-
-
Target
f5c5868e39d55bece500b45cf3071198be195e09d84160c4c9476cc927c9eecb
-
Size
2.9MB
-
MD5
42e74f2a78f9c09f8133b4a6ee972f0d
-
SHA1
85e1cedcec3a4ccdc81055bde6968caf3d44a72b
-
SHA256
f5c5868e39d55bece500b45cf3071198be195e09d84160c4c9476cc927c9eecb
-
SHA512
d213261eeb425f5d5e417cce49d0ea6d939b101d869a0e2e9c12fa8df917a5e1b6ab4b13cf10da559c150f1196662e443ec7c3b7d9616c8bd9c36be546283b12
-
SSDEEP
49152:NeLa/F45AuHF/+M41QE+SPP8T+Gu2HRrKFs/:E+/F45Nx+M43+SXqjud
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1