General
-
Target
8069001d133f34a40786bfeeed558426257b7b8e3f4d73b6af0dff7e3d6e971b
-
Size
1.8MB
-
Sample
240921-139tqawhqf
-
MD5
e0a450286e39fee83a31eab2cc355e6c
-
SHA1
a3242e25e62b0815542c7b364021caed58e9f730
-
SHA256
8069001d133f34a40786bfeeed558426257b7b8e3f4d73b6af0dff7e3d6e971b
-
SHA512
51346a65d9a2248fa0fba163cfd1ed0f5b3d32fc035fb8db06cca0372ae8c40a19e78373cd96d217d71b6ccbe26658b3dde74752c470246c7463932c0eeab338
-
SSDEEP
24576:BK8fSsUOEB6yEEAqhQZYjF0ASkj0YivtoTpLM8lbkoIN/vKGUbpj6YO4T3uYAoyZ:BKjtqR6QKjzSkwXF+1bkZN/xcreRwp8
Static task
static1
Behavioral task
behavioral1
Sample
8069001d133f34a40786bfeeed558426257b7b8e3f4d73b6af0dff7e3d6e971b.exe
Resource
win7-20240903-en
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
dear
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Targets
-
-
Target
8069001d133f34a40786bfeeed558426257b7b8e3f4d73b6af0dff7e3d6e971b
-
Size
1.8MB
-
MD5
e0a450286e39fee83a31eab2cc355e6c
-
SHA1
a3242e25e62b0815542c7b364021caed58e9f730
-
SHA256
8069001d133f34a40786bfeeed558426257b7b8e3f4d73b6af0dff7e3d6e971b
-
SHA512
51346a65d9a2248fa0fba163cfd1ed0f5b3d32fc035fb8db06cca0372ae8c40a19e78373cd96d217d71b6ccbe26658b3dde74752c470246c7463932c0eeab338
-
SSDEEP
24576:BK8fSsUOEB6yEEAqhQZYjF0ASkj0YivtoTpLM8lbkoIN/vKGUbpj6YO4T3uYAoyZ:BKjtqR6QKjzSkwXF+1bkZN/xcreRwp8
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-