General
-
Target
0ca6a139567e88f68e3e384435097d47dd33e2f29f3342d537fa82774b4636c9
-
Size
1.8MB
-
Sample
240703-b9bsts1eje
-
MD5
bdf34357d5997e6a69c972e0fcfaed33
-
SHA1
5022445e735454004a4f2a58ad22c0d1ce3c00cc
-
SHA256
0ca6a139567e88f68e3e384435097d47dd33e2f29f3342d537fa82774b4636c9
-
SHA512
1e5007e76a34d4dac80448543a3c6e86a906e7d0e2efc6e65d982d5df0817d6112b48ae6feea48736c404d367bc14911adce2890293b491daacb283858b15d7d
-
SSDEEP
49152:BgRAIQuvV4ET2oI6VCrigZROX8cwU0O1PmfCbxs5:B4S24q256VCrig7gCSxUC9u
Static task
static1
Behavioral task
behavioral1
Sample
0ca6a139567e88f68e3e384435097d47dd33e2f29f3342d537fa82774b4636c9.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Targets
-
-
Target
0ca6a139567e88f68e3e384435097d47dd33e2f29f3342d537fa82774b4636c9
-
Size
1.8MB
-
MD5
bdf34357d5997e6a69c972e0fcfaed33
-
SHA1
5022445e735454004a4f2a58ad22c0d1ce3c00cc
-
SHA256
0ca6a139567e88f68e3e384435097d47dd33e2f29f3342d537fa82774b4636c9
-
SHA512
1e5007e76a34d4dac80448543a3c6e86a906e7d0e2efc6e65d982d5df0817d6112b48ae6feea48736c404d367bc14911adce2890293b491daacb283858b15d7d
-
SSDEEP
49152:BgRAIQuvV4ET2oI6VCrigZROX8cwU0O1PmfCbxs5:B4S24q256VCrig7gCSxUC9u
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-