General
-
Target
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951
-
Size
425KB
-
Sample
240831-tswe1stcna
-
MD5
ced97d60021d4a0bfa03ee14ec384c12
-
SHA1
7af327df2a2d1e0e09034c2bdf6a47f788cec4e4
-
SHA256
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951
-
SHA512
af0a02daa759010a1edfc78f14c5fe321c10802d0b9df55b515fe501114af0835a05bbd5dd5e2167b4b1f39bb6da787343bf9141d5f811113f71749741b47811
-
SSDEEP
6144:31YnIct+B6NxMYE4+Sx9SY5pkUM7LOM/9HtlcyKZrr02e7wufA5oVt1ZuWu1KBF/:0IGxJECSYCLTxKZn1e7C5oVnZuWu3p
Behavioral task
behavioral1
Sample
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951.exe
Resource
win11-20240802-en
Malware Config
Extracted
amadey
4.41
1176f2
http://185.215.113.19
-
install_dir
417fd29867
-
install_file
ednfoki.exe
-
strings_key
183201dc3defc4394182b4bff63c4065
-
url_paths
/CoreOPT/index.php
Targets
-
-
Target
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951
-
Size
425KB
-
MD5
ced97d60021d4a0bfa03ee14ec384c12
-
SHA1
7af327df2a2d1e0e09034c2bdf6a47f788cec4e4
-
SHA256
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951
-
SHA512
af0a02daa759010a1edfc78f14c5fe321c10802d0b9df55b515fe501114af0835a05bbd5dd5e2167b4b1f39bb6da787343bf9141d5f811113f71749741b47811
-
SSDEEP
6144:31YnIct+B6NxMYE4+Sx9SY5pkUM7LOM/9HtlcyKZrr02e7wufA5oVt1ZuWu1KBF/:0IGxJECSYCLTxKZn1e7C5oVnZuWu3p
-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Indirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2