General
-
Target
b5973db1b5c044c534a9f809bc2c45b486373325ce1cfd75ff4600f00fd59483
-
Size
1.8MB
-
Sample
240428-babzjscc94
-
MD5
fe3346ec5bed65ea2f056fb8898a2f5c
-
SHA1
6049004590734a9ba8124d9b7779a0d8ccd0ff2b
-
SHA256
b5973db1b5c044c534a9f809bc2c45b486373325ce1cfd75ff4600f00fd59483
-
SHA512
dbed2b9a6de8a1646e167ef74db323e458cf3a7b1518cbf412f66c04db470d232018ce600f5ee0a56c6f47975e2435061a24b564814da190e5c3f2ff434991c1
-
SSDEEP
49152:+aBIARUgsrH0gdAzgjWKKqv6eGN5US9FnGjV/5rX:9B3UgsDTmEdKqvbGNJ9dCx5r
Static task
static1
Behavioral task
behavioral1
Sample
b5973db1b5c044c534a9f809bc2c45b486373325ce1cfd75ff4600f00fd59483.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Targets
-
-
Target
b5973db1b5c044c534a9f809bc2c45b486373325ce1cfd75ff4600f00fd59483
-
Size
1.8MB
-
MD5
fe3346ec5bed65ea2f056fb8898a2f5c
-
SHA1
6049004590734a9ba8124d9b7779a0d8ccd0ff2b
-
SHA256
b5973db1b5c044c534a9f809bc2c45b486373325ce1cfd75ff4600f00fd59483
-
SHA512
dbed2b9a6de8a1646e167ef74db323e458cf3a7b1518cbf412f66c04db470d232018ce600f5ee0a56c6f47975e2435061a24b564814da190e5c3f2ff434991c1
-
SSDEEP
49152:+aBIARUgsrH0gdAzgjWKKqv6eGN5US9FnGjV/5rX:9B3UgsDTmEdKqvbGNJ9dCx5r
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-