Extracted

Extracted

• • Target

    c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0

  • Size

    3.2MB

  • MD5

    c3ee25c18f2c408c9054d9c6d4c1e147

  • SHA1

    80d2395709b713647b199c22fdec5415d3a68052

  • SHA256

    c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0

  • SHA512

    d91a1675ca9a2923020ce244d00da6a9b686240dc7ef50185709ecbc2f6b8f92c371ee94ec277a2d3b0e33704c532d2f8779b39ac9f630b9b40f0794312d72f4

  • SSDEEP

    24576:0cUe92VHXy4fv6hfZQGwSWF6r+tLq9rNE0TR5sTlcJxbTGX+tIonLiMjrWD:rt9L4p7GJEeR51TGX10LPjrWD

  Score

  10^/10

  amadeysectopratsystembcpersistenceratspywarestealerthemidatrojanvmprotect

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1