General
-
Target
de1e8c6ff5178863e5f50d1fc8947c6564a7a955d9c8dba8c491cd26d048ebd5
-
Size
5.1MB
-
Sample
241212-2fy95s1peq
-
MD5
acaf428ed90208af41668a4c07190f86
-
SHA1
88f337de49fa056dc7617f06796dfe675a799297
-
SHA256
de1e8c6ff5178863e5f50d1fc8947c6564a7a955d9c8dba8c491cd26d048ebd5
-
SHA512
052d62eea89e37784a6f3b21f20ac8bc04ab30e4da97db5e59c7bd74b40b49e7b7dbfdba92c7b75a52463db7a52547e993db38da17994d74ca80f8bebaa7a579
-
SSDEEP
98304:z4ErJ83cVUkMafwbt2O9Kushe9WHX4q/zsBMVSCmXGLNFPPeC6vhaHQs:z4M8M6kM4wkOwuAmgX4H/QnHeCcaHt
Static task
static1
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Targets
-
-
Target
de1e8c6ff5178863e5f50d1fc8947c6564a7a955d9c8dba8c491cd26d048ebd5
-
Size
5.1MB
-
MD5
acaf428ed90208af41668a4c07190f86
-
SHA1
88f337de49fa056dc7617f06796dfe675a799297
-
SHA256
de1e8c6ff5178863e5f50d1fc8947c6564a7a955d9c8dba8c491cd26d048ebd5
-
SHA512
052d62eea89e37784a6f3b21f20ac8bc04ab30e4da97db5e59c7bd74b40b49e7b7dbfdba92c7b75a52463db7a52547e993db38da17994d74ca80f8bebaa7a579
-
SSDEEP
98304:z4ErJ83cVUkMafwbt2O9Kushe9WHX4q/zsBMVSCmXGLNFPPeC6vhaHQs:z4M8M6kM4wkOwuAmgX4H/QnHeCcaHt
-
Amadey family
-
Gcleaner family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2