Extracted

Extracted

• • Target

    244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445

  • Size

    1.8MB

  • MD5

    66f47ac2840baefdd81971cd13203e8d

  • SHA1

    6f3e137e99b0ac70d633118f979424d329701f4c

  • SHA256

    244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445

  • SHA512

    1f50da7ef3464e2934f1b51a254c87c672b451e207957d8a6c1ab2fa703f8ec925938c8c1364b0fa412fa0c2595a3b170de1b8f7ff88e1b91709254342e38f1f

  • SSDEEP

    49152:GGmEkUQVO+Yz3SW/qh7AyCMGCIbcshcunEpN:tmEkU2A3jqUC+hznEp

  Score

  10^/10

  amadey0e6740evasiontrojanrisepropersistencestealer

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2