Extracted

• • Target

    6e6db72ceb4e6bcda3728357c5f2339bb2bb562efdfddc6697aa765c0a0abf13

  • Size

    372KB

  • MD5

    363b7da32a06972f193f6b1364be537d

  • SHA1

    8179c3ca5ce47e110340d4e453356ebf06708c46

  • SHA256

    6e6db72ceb4e6bcda3728357c5f2339bb2bb562efdfddc6697aa765c0a0abf13

  • SHA512

    cc6e5ea6ddd3aee20c6bc0c009f1a78f996445ff5a67145e05c0a07065af59808389180a75a265f19042feedbeec971027d6f4ca1d865b1e3c022436cf9421ae

  • SSDEEP

    6144:N2YylJOEJG9FAQNt1bh0p1u94rTDh+3oQ9gOU+fzYBb6y:0TlDJjQP1bY15c9gT6y

  Score

  10^/10

  amadeywarzoneratcollectioninfostealerpersistenceratspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Detect Amadey credential stealer module

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1