Extracted

• • Target

    b7ff60dd4a04629b392b28542a830553cd6dd560cbc66bb710fbac465ddf4d1e

  • Size

    3.7MB

  • MD5

    9b0d78d2f231aadb1ffd3ba0983054a4

  • SHA1

    26af7afd6f7a5bc14d2c5b40f765bcdab547aac9

  • SHA256

    b7ff60dd4a04629b392b28542a830553cd6dd560cbc66bb710fbac465ddf4d1e

  • SHA512

    24d7ecf1315d31adf5ac21b72d86b8695118f34dd17778facb58c1ca6e23f5a6fe4b32959925274ab51d232d47ced04eae6d8838fc810f9c294391d2379d00d5

  • SSDEEP

    98304:ZiYcd1Ot8bYdRBLH17KlrISKB1haWZisa4zW3:lftMYNJWXKBiPsaT

  Score

  10^/10

  amadeyrhadamanthyscollectiondiscoveryevasionpersistencespywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1