Extracted

• • Target

    9b8786c9e74cfd314d7fe9fab571d451.exe

  • Size

    1.5MB

  • MD5

    9b8786c9e74cfd314d7fe9fab571d451

  • SHA1

    e5725184c2da0103046f44c211cc943582c1b2b2

  • SHA256

    d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

  • SHA512

    9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

  • SSDEEP

    12288:0uKd2SU1qQFhpGf1U1gYZMt4TwIwwNjCBCTIXFgpWW5Gm41jKmejWYzHWsd+1Ys2:NKdKUYLm7dsTccLa1mmerbED

  Score

  10^/10

  pseudomanuscryptloaderamadeyspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Detects PseudoManuscrypt payload

    loader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2