General
-
Target
2x.rar
-
Size
14.6MB
-
Sample
240619-q57f9s1fqd
-
MD5
c1159fc3286eb949217ee436bc31a14a
-
SHA1
29ea7fe377e9ffb2d7b3cb899b8b618de17241da
-
SHA256
fb389983ad7ef0623d3318ca5e7aa2b484692affa283929504133f825329ea4e
-
SHA512
39e92d5fc5430b731cacd8e70b2acfd58a48d599b79f66c86e2ce5de153a864c79dc07836291e31af38c533fd15915b5650339e353fea14c490c2d7c0f7f0980
-
SSDEEP
393216:X7qOAkrPBtzGBwT2DfUomq1CYj97IIY9j5MugpH5NWr9HMLvJLr:Ll55tz+wTrFq1CY57ObMuyH5NWRHGZ
Static task
static1
Behavioral task
behavioral1
Sample
6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3/files/Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3/files/Setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e/files/Setup.exe
Resource
win7-20240508-en
Malware Config
Extracted
stealc
Extracted
amadey
4.30
ffb1b9
http://proresupdate.com
-
install_dir
4bbb72a446
-
install_file
Hkbsse.exe
-
strings_key
1ebbd218121948a356341fff55521237
-
url_paths
/h9fmdW5/index.php
Targets
-
-
Target
6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3/files/Setup.exe
-
Size
5.5MB
-
MD5
9d8649afd4141d960b6545998fbc423b
-
SHA1
3ddd700caaebab0a9d2ed640f235d4b716a505de
-
SHA256
db2457caa1ccd65e63718b9e28789a12e17bc7a038975fba4f07dcd9f38e7016
-
SHA512
0a50681e956df3187a718570fd54600365e8ad805b7e291eb5fc6169df47a6d31596f890419aa36a4f3d983b17eb21eae9e2e51cf5755f8b2b890ba87b752da2
-
SSDEEP
49152:88iGSBp0o5I9vl6yoPgbIXayfQUxldpSphlWopc9MTHKsb48bHVGfKiaaQATZ79z:bihyoPgbInQEHY3N3sNfxLlC1Dxeh
-
Detect Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e/files/Setup.exe
-
Size
202KB
-
MD5
64179e64675e822559cac6652298bdfc
-
SHA1
cceed3b2441146762512918af7bf7f89fb055583
-
SHA256
c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
-
SHA512
ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
-
SSDEEP
3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw
-
Detect Vidar Stealer
-
XMRig Miner payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-