Extracted

• • Target

    amday_JC.exe

  • Size

    2.3MB

  • MD5

    aa486e83365ae67a5778758685ca4d6f

  • SHA1

    633e328f5deb9c09e99368fa25f6deca4a601bbb

  • SHA256

    c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7

  • SHA512

    e16ef48515eccea7dcb27521027785e9a42ec9d8c76af86f598be363998453f3a71e976bb9ac38caf0751286c41f443cd3a3fad0507f4eedd1d7affeb4734dfd

  • SSDEEP

    24576:hH1FcclmgReLIGaIhJxSJ2lKZZAsKQ7F1RBdaBZZR0DBfg92KVOikDlbnJ6dT17x:DlbKxF8qg11A1o6Xqm

  Score

  10^/10

  amadeypersistencetrojansectopratdiscoveryevasionratspywarestealerthemida

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2