General
-
Target
0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162
-
Size
1.8MB
-
Sample
240525-ft6qgsfe36
-
MD5
960e350d0826e0dfb4deb06203ef9de8
-
SHA1
c90314ec63d474ef31db8a3abf1223d313c04006
-
SHA256
0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162
-
SHA512
6ac6eaedf1708f2473578c8159c5fbd265aaefb9bf926d21b2d863f167de6cb0826290d60e1319dbfda9912bf54d15af2792c862eff2da9673266871b39bcb10
-
SSDEEP
24576:GWPnMx2UWGW+Y9EFtGJYZGqBY5cQjuvybL0y9lVdSYIUHQHTYJvwIB525ezYBqP2:5PnMxhWGAjy7Y3jua30SlG9EOIttP
Static task
static1
Behavioral task
behavioral1
Sample
0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Targets
-
-
Target
0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162
-
Size
1.8MB
-
MD5
960e350d0826e0dfb4deb06203ef9de8
-
SHA1
c90314ec63d474ef31db8a3abf1223d313c04006
-
SHA256
0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162
-
SHA512
6ac6eaedf1708f2473578c8159c5fbd265aaefb9bf926d21b2d863f167de6cb0826290d60e1319dbfda9912bf54d15af2792c862eff2da9673266871b39bcb10
-
SSDEEP
24576:GWPnMx2UWGW+Y9EFtGJYZGqBY5cQjuvybL0y9lVdSYIUHQHTYJvwIB525ezYBqP2:5PnMxhWGAjy7Y3jua30SlG9EOIttP
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-