Extracted

Extracted

Extracted

• • Target

    c5ba3282a64750420d0d9dd90ac9019dda3742aa9ff202c82a7ffd178268cd6f

  • Size

    1.8MB

  • MD5

    e4bf424e5186b1219c62b82d44a6752f

  • SHA1

    b369c3e97077ce31ce9e21622f5797c8af1a18ea

  • SHA256

    c5ba3282a64750420d0d9dd90ac9019dda3742aa9ff202c82a7ffd178268cd6f

  • SHA512

    f57e86fa8fa84cc31e0cd99f219b97c6df9c0d93d9bdb79338498d5be65bc80e9062858c423b466bd340a7bf0fa059d746cbbb1a0836f89b63700afb56f8a799

  • SSDEEP

    49152:tTAHpHUIslnCg3tXIb1Xf2F5vVzCT7f1tbXuQGjdXFx5PSkTOmd:tTdIsdtXU1Xf2dzCT/Tk/5akH

  Score

  10^/10

  amadeyriseprosystembc0e674049e482evasionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2