General
-
Target
a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3.exe
-
Size
2.9MB
-
Sample
241217-lwt3cswpfs
-
MD5
ec45b3daf2d1998ec51ac32dd73e4353
-
SHA1
e8f3624436c443853cd19dc4e590104130a59494
-
SHA256
a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3
-
SHA512
8c127c3eeeb3fedbee970453d487e5bc69da5727d8d144a657ed2842718b79c680b4138a0f1c294fce4c12105018f36c86437af67734000f24d12016359388f9
-
SSDEEP
49152:cZ/jf/q95mWke8XmcIUJAkGXP5yJBHlyWhavc:s/q95mWke82hUJAkGXBy7Hhr
Static task
static1
Behavioral task
behavioral1
Sample
a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3.exe
Resource
win7-20240903-en
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
cryptbot
Targets
-
-
Target
a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3.exe
-
Size
2.9MB
-
MD5
ec45b3daf2d1998ec51ac32dd73e4353
-
SHA1
e8f3624436c443853cd19dc4e590104130a59494
-
SHA256
a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3
-
SHA512
8c127c3eeeb3fedbee970453d487e5bc69da5727d8d144a657ed2842718b79c680b4138a0f1c294fce4c12105018f36c86437af67734000f24d12016359388f9
-
SSDEEP
49152:cZ/jf/q95mWke8XmcIUJAkGXP5yJBHlyWhavc:s/q95mWke82hUJAkGXBy7Hhr
-
Amadey family
-
Cryptbot family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-