General
-
Target
52ce481ea201d8a0e9e9f5e89023b883334035e1427b85d2977f9c74e682d21fN.exe
-
Size
2.9MB
-
Sample
241217-c7z83sxrb1
-
MD5
30825fab1d50f101d38373952e92f6e0
-
SHA1
69d1860c308b3fb30519402aa1e08df365dc35e4
-
SHA256
52ce481ea201d8a0e9e9f5e89023b883334035e1427b85d2977f9c74e682d21f
-
SHA512
c8f26dccc3fbfdf254a1d322fb2c32a9299be93f826d29339c05035594ee52bfc2ac5ce42baa21b1ae2a9063a0b5731e0c30399b0cb435b6440d27605dbee975
-
SSDEEP
49152:cZ/jf/q95mWke8XmcIUJAkGXP5yJBHlyWhav:s/q95mWke82hUJAkGXBy7Hh
Static task
static1
Behavioral task
behavioral1
Sample
52ce481ea201d8a0e9e9f5e89023b883334035e1427b85d2977f9c74e682d21fN.exe
Resource
win7-20241010-en
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
cryptbot
Targets
-
-
Target
52ce481ea201d8a0e9e9f5e89023b883334035e1427b85d2977f9c74e682d21fN.exe
-
Size
2.9MB
-
MD5
30825fab1d50f101d38373952e92f6e0
-
SHA1
69d1860c308b3fb30519402aa1e08df365dc35e4
-
SHA256
52ce481ea201d8a0e9e9f5e89023b883334035e1427b85d2977f9c74e682d21f
-
SHA512
c8f26dccc3fbfdf254a1d322fb2c32a9299be93f826d29339c05035594ee52bfc2ac5ce42baa21b1ae2a9063a0b5731e0c30399b0cb435b6440d27605dbee975
-
SSDEEP
49152:cZ/jf/q95mWke8XmcIUJAkGXP5yJBHlyWhav:s/q95mWke82hUJAkGXBy7Hh
-
Amadey family
-
Cryptbot family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-