Extracted

• • Target

    3fb86005e4c3f077eabcd88c5096bd976e9741278b40e1548c8a4c0840900c10

  • Size

    257KB

  • MD5

    b1f356106e80e611deda0cc8489906e7

  • SHA1

    e673f90913f310d488ca39bcf0f1d8c208bd58fc

  • SHA256

    3fb86005e4c3f077eabcd88c5096bd976e9741278b40e1548c8a4c0840900c10

  • SHA512

    88c9b394bc0e7571822fe26920a9b3c0b25ba97572c64d08c195df889db8553b2e7a7c0928de3d53d516cf5a1f8a7df27ae3101d0778000048dff8a6704e1fbf

  • SSDEEP

    3072:OnAYAEdhDtn+5QVIu7Yop2mbCCzJIxRR+tSpwQZshhECiU/Vvx64bJivHmPKxemu:5YbemmCzJoX+tGtKL9iUXdA1xrxfm78

  Score

  10^/10

  amadeygluptebaprivateloaderdropperevasionloadertrojanupxvmprotect

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Stops running service(s)

    evasion

  • Drops startup file

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1