Extracted

Extracted

• • Target

    282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4

  • Size

    1.8MB

  • MD5

    8283d3bf4c491dde6f744e9ef5bc3274

  • SHA1

    554115881ece7ecb07e12cbf5e789cf124064018

  • SHA256

    282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4

  • SHA512

    f2b0547e28864f9bcb4cb43cf27338d59ac40c7a909b8348255d7eebc79ad9b6bcb1b785ce06c88e5dbac4c4be3adbc0d4b4395c5b33c512ee0d844f4fcc7f11

  • SSDEEP

    49152:IGxTqIz/sPpqoluKFY0ojzZoDkIbYuYnNtQQ:IqTqxpq0szZzEYN

  Score

  10^/10

  amadey0e6740evasiontrojanrisepropersistencestealer

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2