General
-
Target
7dc7a8d2e9d44cae10b9b55b65585ddc.bin
-
Size
1.7MB
-
Sample
241223-bqv3cstjgs
-
MD5
d78a817814c72b41e0df5298db0274f7
-
SHA1
b8a000c31c6560e52fce7d8873aa13ecdbff906b
-
SHA256
446999d49a6900e5753695ac8582e9eaef812acee88fd908d857073e8e200b8d
-
SHA512
e4b668cd3fc23141b245db8acdcfdae8467cdcc1fac1c37abec27095250c50ec9efc1a9367873155e1adce766787e733658b9341f0ca4477d0364307b67a2d6c
-
SSDEEP
49152:7kQIMpxes2RO0VdyFDliQOZQ9769i5RLtFu:QNMpxerObJ96QRRLXu
Static task
static1
Behavioral task
behavioral1
Sample
efbfd7a968dc584c166551f171937da09dd94178b8c27e09f5eab73d1641d0d0.exe
Resource
win7-20240903-en
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://pollution-raker.cyou/api
https://hosue-billowy.cyou/api
https://ripe-blade.cyou/api
https://smash-boiling.cyou/api
https://supporse-comment.cyou/api
https://greywe-snotty.cyou/api
https://steppriflej.xyz/api
https://sendypaster.xyz/api
Extracted
cryptbot
Targets
-
-
Target
efbfd7a968dc584c166551f171937da09dd94178b8c27e09f5eab73d1641d0d0.exe
-
Size
3.0MB
-
MD5
7dc7a8d2e9d44cae10b9b55b65585ddc
-
SHA1
3e78d38a9ce837926831ea27a0efb1a262877334
-
SHA256
efbfd7a968dc584c166551f171937da09dd94178b8c27e09f5eab73d1641d0d0
-
SHA512
e33388557fcea27a9d5be98eb2dc308be8d5d8d3afcb0e27d8834a96c95ba41f97c47f59de8227fd13667e8692e9063162b1d60a84161f57e4f8905f6d6483fe
-
SSDEEP
49152:kp41N/sSySDz5y6RK5swYTz42X2GPc6mz1:K2spSDz5PK51YTEU21fz
-
Amadey family
-
Cryptbot family
-
Gcleaner family
-
Lumma family
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1