Extracted

Extracted

• • Target

    dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f

  • Size

    1.8MB

  • MD5

    8d487627035eed9b73928dfe64e1f0fc

  • SHA1

    a8c79ffd756091998aa04c560c2355aca1bce886

  • SHA256

    dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f

  • SHA512

    bc0448ba4374af2126e364ca22f063e9e4e6d92b88b130a5fbe5b0bd1968257a9b4fc83aa9b2d27675391d85d0a1f95f12b72464cedcddd2c18bccba3f8d8ba6

  • SSDEEP

    49152:DsGzMPclg3SPH2IJZoPSo5bHB0vdj+1w2+gEbnwbi+/J:DsgMklcU2IJZQFhwdjIwXs

  Score

  10^/10

  amadeyrisepro0e6740evasionstealertrojanpersistence

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2