General
-
Target
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4
-
Size
1.8MB
-
Sample
240912-cgdbmawajn
-
MD5
5aa843af1eb61da84c361651443815c5
-
SHA1
df0e8611d4c9632c1ef438ffe4e33b9bcfd5279a
-
SHA256
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4
-
SHA512
dba5ca6332fbb5b4aa25ff725f3e5d8973c17b41699d2facc9b4650d0f9e31522867f44a6a52cd01d9262d318299a5942b4b93ce7a21a797629dcbb20d7a7230
-
SSDEEP
49152:md6cJmI1l+3dOyD7zsx432yG78XlrZR6DtU3:mRcIOD7z6432J7MGw
Static task
static1
Behavioral task
behavioral1
Sample
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Targets
-
-
Target
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4
-
Size
1.8MB
-
MD5
5aa843af1eb61da84c361651443815c5
-
SHA1
df0e8611d4c9632c1ef438ffe4e33b9bcfd5279a
-
SHA256
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4
-
SHA512
dba5ca6332fbb5b4aa25ff725f3e5d8973c17b41699d2facc9b4650d0f9e31522867f44a6a52cd01d9262d318299a5942b4b93ce7a21a797629dcbb20d7a7230
-
SSDEEP
49152:md6cJmI1l+3dOyD7zsx432yG78XlrZR6DtU3:mRcIOD7z6432J7MGw
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-