General
-
Target
0920665444ab6e7604061699131d130b6ab8dea128fdb7ccdfd9f60a535f8ba9N.exe
-
Size
1.8MB
-
Sample
240926-hntvvaweme
-
MD5
bf1e8b37215bea566bd6f263fec85b50
-
SHA1
f0c1115fae2bd289e2a662c6d4148e0f0be87ffb
-
SHA256
0920665444ab6e7604061699131d130b6ab8dea128fdb7ccdfd9f60a535f8ba9
-
SHA512
3422e28ed4f4c15ac5720b4a22a91c0cfe5cefd9721660408809400da302c9275efce76ec9aa2a9bf944c1c3ac3695a7adcd3b0cd13d151d27c5d967353f69b1
-
SSDEEP
49152:Z1P1hmAFX0mUZP+uLW/ewmFXg39H1UhjPJ31FfR:Z1P1TFX0pWIXg39VEjhfR
Static task
static1
Behavioral task
behavioral1
Sample
0920665444ab6e7604061699131d130b6ab8dea128fdb7ccdfd9f60a535f8ba9N.exe
Resource
win7-20240704-en
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
save
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Targets
-
-
Target
0920665444ab6e7604061699131d130b6ab8dea128fdb7ccdfd9f60a535f8ba9N.exe
-
Size
1.8MB
-
MD5
bf1e8b37215bea566bd6f263fec85b50
-
SHA1
f0c1115fae2bd289e2a662c6d4148e0f0be87ffb
-
SHA256
0920665444ab6e7604061699131d130b6ab8dea128fdb7ccdfd9f60a535f8ba9
-
SHA512
3422e28ed4f4c15ac5720b4a22a91c0cfe5cefd9721660408809400da302c9275efce76ec9aa2a9bf944c1c3ac3695a7adcd3b0cd13d151d27c5d967353f69b1
-
SSDEEP
49152:Z1P1hmAFX0mUZP+uLW/ewmFXg39H1UhjPJ31FfR:Z1P1TFX0pWIXg39VEjhfR
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1