General
-
Target
74e4f20e127f4c8219df419238a76ea45089f4c17c7b5d29128a1269978e5e33
-
Size
1.9MB
-
Sample
240422-x6ntwafa95
-
MD5
7d79a3da2d6473ba0ea8a7e7449107ba
-
SHA1
ffa0c558fd4ebd44aaa9942336703975baa91ea4
-
SHA256
74e4f20e127f4c8219df419238a76ea45089f4c17c7b5d29128a1269978e5e33
-
SHA512
2b20aa6dbc19e687dc8c448e7ae9d9ce72e1f2c131a7df29eefe2e3381352d07db580a71aa784c3dd35fd32b6d4c0e371e564e0cfa8840b8c2d2619f9f6bc31d
-
SSDEEP
49152:9qemjxgDDGCVawZAYYJlI57F02fqQvRsun:9KIGwZAYYAbzsK
Static task
static1
Behavioral task
behavioral1
Sample
74e4f20e127f4c8219df419238a76ea45089f4c17c7b5d29128a1269978e5e33.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
lumma
https://democraticseekysiwo.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Targets
-
-
Target
74e4f20e127f4c8219df419238a76ea45089f4c17c7b5d29128a1269978e5e33
-
Size
1.9MB
-
MD5
7d79a3da2d6473ba0ea8a7e7449107ba
-
SHA1
ffa0c558fd4ebd44aaa9942336703975baa91ea4
-
SHA256
74e4f20e127f4c8219df419238a76ea45089f4c17c7b5d29128a1269978e5e33
-
SHA512
2b20aa6dbc19e687dc8c448e7ae9d9ce72e1f2c131a7df29eefe2e3381352d07db580a71aa784c3dd35fd32b6d4c0e371e564e0cfa8840b8c2d2619f9f6bc31d
-
SSDEEP
49152:9qemjxgDDGCVawZAYYJlI57F02fqQvRsun:9KIGwZAYYAbzsK
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-