General
-
Target
2g8113.exe
-
Size
3.2MB
-
Sample
250801-gjwyzavpv6
-
MD5
2dac651df2196423bf3e5296ceb93a61
-
SHA1
c602f5f788ea7d7e4607df6252fc294ac8835562
-
SHA256
d7ab100eec217ae7edde5ad39ec0775e7ebca760ed758c63c412a6253de6a9d5
-
SHA512
4b38952bc153dcdaca3225c09407bb2c9bebefc9184c4535ba4e56245c4b5e292fbe5dcb305997b970e64b6587bca7e9a2fb781c2a76ce3e55e555d75367f68f
-
SSDEEP
98304:FBwFCT3R61SJFEU/OyaWHACRWsKNpuZKqdg1:nw4E1S3POyakUpuZVdg1
Static task
static1
Behavioral task
behavioral1
Sample
2g8113.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2g8113.exe
Resource
win11-20250619-en
Malware Config
Extracted
amadey
5.55
fbf543
http://94.154.35.25
-
install_dir
96a319e745
-
install_file
Srxelqcif.exe
-
strings_key
f8bfac017914b836f3106c5bcd0878fe
-
url_paths
/di9ku38f/index.php
Extracted
lumma
https://cezgroup.contact/xlak/api
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://stockwises.eu/xiut/api
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://mocadia.com/iuew
https://vishneviyjazz.ru/neco/api
https://t.me/reusmey
https://nucleji.my/ituw/api
https://t.me/sadv1323v13q4as
https://conaqr.click/qokl
https://t.me/RONALDOORMESSSSI
https://dravq.asia/wixj/api
-
build_id
daed38a88b6c4f6724de951096eac424eff146f249dc
Extracted
xworm
5.0
hexa.dnsframe.com:66
FzSIsfqlHwWWhS56
-
Install_directory
%AppData%
-
install_file
inj.exe
Extracted
stealc
LogsDillerCloud
http://vppvpkcapital.shop
-
url_path
/45cc90de006049c9.php
Extracted
vidar
14.8
c0aea96f5dc5ea23da54dbccbac6de78
https://t.me/dz25gz
https://steamcommunity.com/profiles/76561199880530249
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Targets
-
-
Target
2g8113.exe
-
Size
3.2MB
-
MD5
2dac651df2196423bf3e5296ceb93a61
-
SHA1
c602f5f788ea7d7e4607df6252fc294ac8835562
-
SHA256
d7ab100eec217ae7edde5ad39ec0775e7ebca760ed758c63c412a6253de6a9d5
-
SHA512
4b38952bc153dcdaca3225c09407bb2c9bebefc9184c4535ba4e56245c4b5e292fbe5dcb305997b970e64b6587bca7e9a2fb781c2a76ce3e55e555d75367f68f
-
SSDEEP
98304:FBwFCT3R61SJFEU/OyaWHACRWsKNpuZKqdg1:nw4E1S3POyakUpuZVdg1
-
Amadey family
-
Cyber_stealer family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects CyberStealer
-
Detects DonutLoader
-
Disables service(s)
-
DonutLoader
DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
-
Donutloader family
-
Lumma family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar family
-
Xmrig family
-
Xworm family
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1