Extracted

• • Target

    d334fdbe7080a9e36d94001903199491

  • Size

    10KB

  • MD5

    d334fdbe7080a9e36d94001903199491

  • SHA1

    5d10fa7e8de420744a3ad3358428f16e796c3c1a

  • SHA256

    20f0619336fb27994a740fb37794d83d027646bbf0d826d8b3542f042412a908

  • SHA512

    dc57151e73e2e23709a71fc608f6b2d9e7e2f1bbbc4999a3f80443fc3599e21cfedbb6dc735e9bcd6d3421e595dacd34be01375eda9c4a5348550b94349383ba

  • SSDEEP

    192:4ctzdkaK/n7bEbIn+qeDFcugX8P6J8stYcFwVc03KY:4y+p7bEbIn+rgX8yJptYcFwVc03K

  Score

  10^/10

  amadeygluptebarhadamanthysdropperevasionloaderpersistencespywarestealertrojanupxprivateloadervmprotect

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Detect rhadamanthys stealer shellcode

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Windows security bypass

    evasiontrojan

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Stops running service(s)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2