General
-
Target
b47d4e3c156cb8941e72176998674bc476aa743c8a094dd237f2414c6dca0604
-
Size
1.9MB
-
Sample
240625-cwtbdsyhkq
-
MD5
5ac04e7d2e2fe5de6613126a34ce8437
-
SHA1
209d602bb049373dda66d83c07e293baabcbed28
-
SHA256
b47d4e3c156cb8941e72176998674bc476aa743c8a094dd237f2414c6dca0604
-
SHA512
2c773ae7a4a0ff7d029c513bb48c7f0d5fc5be7fdbfcbe2cae29cf1615b32928e03e0406a232d520197df453cdbc12701948ba6a1cf20c76aa53a0feb63b0e67
-
SSDEEP
24576:V5aINNtvRYJypJeMwiMwPbOQ2azKjhTNChKLBbt+tHvPG6yZ3UUZOV6ZVKuCtR3n:V51Ng0eMwRwPZqRgK4HURRIwGchUrz
Static task
static1
Behavioral task
behavioral1
Sample
b47d4e3c156cb8941e72176998674bc476aa743c8a094dd237f2414c6dca0604.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Targets
-
-
Target
b47d4e3c156cb8941e72176998674bc476aa743c8a094dd237f2414c6dca0604
-
Size
1.9MB
-
MD5
5ac04e7d2e2fe5de6613126a34ce8437
-
SHA1
209d602bb049373dda66d83c07e293baabcbed28
-
SHA256
b47d4e3c156cb8941e72176998674bc476aa743c8a094dd237f2414c6dca0604
-
SHA512
2c773ae7a4a0ff7d029c513bb48c7f0d5fc5be7fdbfcbe2cae29cf1615b32928e03e0406a232d520197df453cdbc12701948ba6a1cf20c76aa53a0feb63b0e67
-
SSDEEP
24576:V5aINNtvRYJypJeMwiMwPbOQ2azKjhTNChKLBbt+tHvPG6yZ3UUZOV6ZVKuCtR3n:V51Ng0eMwRwPZqRgK4HURRIwGchUrz
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-