General
-
Target
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5
-
Size
1.8MB
-
Sample
240425-dbeg6sec5v
-
MD5
733fce8af4aa232cb80b7d61fa272764
-
SHA1
1bcc5b6309f5ff21b3e7d69a26d65ab318d2e760
-
SHA256
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5
-
SHA512
8d4384aa54bce3ab173fc9b2f8146e08499c2be3520b41a5a24cdc4fbc15f37ffae6287bc4e32337a5a617942c3d70f46e70d4400718c2097e3ec8ff0db728be
-
SSDEEP
49152:4MtlcinxPGTqYeF1mj5OkN8Si74S82w0WR34Hm6VeWN:4MM38NUYw0aVA
Static task
static1
Behavioral task
behavioral1
Sample
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5.exe
Resource
win7-20240221-en
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Targets
-
-
Target
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5
-
Size
1.8MB
-
MD5
733fce8af4aa232cb80b7d61fa272764
-
SHA1
1bcc5b6309f5ff21b3e7d69a26d65ab318d2e760
-
SHA256
72a9a731d6a1237c6cc4cc3dd1b4cf2e1ddfdbed917c6f822b4c33d342366fc5
-
SHA512
8d4384aa54bce3ab173fc9b2f8146e08499c2be3520b41a5a24cdc4fbc15f37ffae6287bc4e32337a5a617942c3d70f46e70d4400718c2097e3ec8ff0db728be
-
SSDEEP
49152:4MtlcinxPGTqYeF1mj5OkN8Si74S82w0WR34Hm6VeWN:4MM38NUYw0aVA
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-