Extracted

• • Target

    e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969

  • Size

    1.4MB

  • MD5

    0de84a66b983d2f407390473dd1e37de

  • SHA1

    21de93ab0f4e6706403e0bd3167be9aa8178018b

  • SHA256

    e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969

  • SHA512

    37fc3f31dbb2721565c56974638e483cf3700779b4bbe324c26dbf4f45721211516b041b519b63bd8feb653b8b1de6bda8c52736085f72ff597d5fcb8d839a94

  • SSDEEP

    24576:m3Bdco8g+Jw+uIWdSNmppQIAni/mqjGYqXGkICzZ+apKOiz4GvaG/9jhNpNbWOAD:sxpxIGJppQIAni/mqjGYqXGbuZ+apKO/

  Score

  10^/10

  amadeypseudomanuscryptloaderspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Detects PseudoManuscrypt payload

    loader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1