Extracted

• • Target

    file.exe

  • Size

    1.4MB

  • MD5

    056d809fc0b3e0af97316dbfbba1481e

  • SHA1

    9083da544ba4653ca83df9dc04968e0d084f7cfb

  • SHA256

    033bbc64f889777be17fa5bc28439d1ee79c94a611a58853790eb865c7d87d54

  • SHA512

    a9e1a5aeea7959e819c34a90673b1086b1c61ac2fa3279798b56991885b203530398aba290e8b2e2eb3f6967b337b24e18c25b085e4fdd4236ef663fdcb21545

  • SSDEEP

    24576:j3Bdco8g+Jw+uIWdSNmppQIAni/mqjGYqXGkICzZ+apKOiz4GvaG/9jhNpNbWOAD:fxpxIGJppQIAni/mqjGYqXGbuZ+apKO/

  Score

  10^/10

  amadeypseudomanuscryptloaderspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Detects PseudoManuscrypt payload

    loader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2