Extracted

Extracted

• • Target

    a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948

  • Size

    1.5MB

  • MD5

    32187c18a470b54095365f8db359a671

  • SHA1

    3ce7f687006e176a5b1554e30decdfed60e35aae

  • SHA256

    a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948

  • SHA512

    a9873b6ac3f480ad881bee4fe52d960127696f816007ee1ed4a2511ff82f7cc10ec98ef16cdc2869b49b716d3453ee6a7d952a1988083d046ba05dd9d579449a

  • SSDEEP

    24576:92vbP2LX8eT+onZIeV1B/0ZGP5Ulz9xw0i0sx9rNqdy5/rwjXUx68BFrgPUv:9kyweTrZIQ8o2z9ST089BqurwLI7vMcv

  Score

  10^/10

  amadeyevasionthemidatrojanriseprozgratpersistenceratstealer

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Detect ZGRat V1

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2