General
-
Target
8d8e0afa6f4c379900b267cc91488aa478282e8a2811341ce0f76968fa4c8b73
-
Size
1.8MB
-
Sample
240425-dwry1aec95
-
MD5
de5e3f8bf3ab95d814e126d7d7214ac7
-
SHA1
a7fa0676f5dbea99778b36aa169036b0487191cd
-
SHA256
8d8e0afa6f4c379900b267cc91488aa478282e8a2811341ce0f76968fa4c8b73
-
SHA512
3ffa407806ec3315a8e339455dcfbe2864686fdbb9b51511822ee80543bb662db275ffbfaa11d79385cf6c5d768278512eea05025b17f2399174bfc471bf3129
-
SSDEEP
49152:VX29t+xBfvR4wA4u1gO7lMg8z1XwaJ88Dz1dt+Ccq6:VG9tSBCwByllMg8z5wClDBT+Ccq6
Static task
static1
Behavioral task
behavioral1
Sample
8d8e0afa6f4c379900b267cc91488aa478282e8a2811341ce0f76968fa4c8b73.exe
Resource
win7-20240221-en
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Targets
-
-
Target
8d8e0afa6f4c379900b267cc91488aa478282e8a2811341ce0f76968fa4c8b73
-
Size
1.8MB
-
MD5
de5e3f8bf3ab95d814e126d7d7214ac7
-
SHA1
a7fa0676f5dbea99778b36aa169036b0487191cd
-
SHA256
8d8e0afa6f4c379900b267cc91488aa478282e8a2811341ce0f76968fa4c8b73
-
SHA512
3ffa407806ec3315a8e339455dcfbe2864686fdbb9b51511822ee80543bb662db275ffbfaa11d79385cf6c5d768278512eea05025b17f2399174bfc471bf3129
-
SSDEEP
49152:VX29t+xBfvR4wA4u1gO7lMg8z1XwaJ88Dz1dt+Ccq6:VG9tSBCwByllMg8z5wClDBT+Ccq6
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-