General
-
Target
amadka.exe
-
Size
1.8MB
-
Sample
240720-zflb6swgph
-
MD5
a167734f75b512f5fd225cfba47b3511
-
SHA1
aa5b54ac5a624e4c15fb848e519efa4fbd9d4e32
-
SHA256
53083ace2013ee5e0ccfbdc41557a35ba6446d8c999fa5376b16f63197c1bad4
-
SHA512
47b126308f83f371417965887fbf653f9501d7fd637a0eec380c6250e14947774e899ff77650763bf7cd10aa97837b5779ea4ccd6633dbad0cdff0adbec85a90
-
SSDEEP
49152:dryQBe+WLSfY0Zg+V1Lxkj54Sx73b0tT9Y:QQ4RSfYqV1LxkFNeF2
Static task
static1
Behavioral task
behavioral1
Sample
amadka.exe
Resource
win7-20240704-en
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
default
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Targets
-
-
Target
amadka.exe
-
Size
1.8MB
-
MD5
a167734f75b512f5fd225cfba47b3511
-
SHA1
aa5b54ac5a624e4c15fb848e519efa4fbd9d4e32
-
SHA256
53083ace2013ee5e0ccfbdc41557a35ba6446d8c999fa5376b16f63197c1bad4
-
SHA512
47b126308f83f371417965887fbf653f9501d7fd637a0eec380c6250e14947774e899ff77650763bf7cd10aa97837b5779ea4ccd6633dbad0cdff0adbec85a90
-
SSDEEP
49152:dryQBe+WLSfY0Zg+V1Lxkj54Sx73b0tT9Y:QQ4RSfYqV1LxkFNeF2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-