Extracted

Extracted

• • Target

    16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744

  • Size

    1.8MB

  • MD5

    b14a74c894dfb0897344d10e4bb61d00

  • SHA1

    bd307d455e5ed81e10b32f96fac126172c575fe9

  • SHA256

    16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744

  • SHA512

    a352f1e45e4442208cf7a559320d0e8000b41bfe8b84327c836e151507566fda53a279b310c485b10571f84f0108409f8495bd19dd1170cc84648f99352cf873

  • SSDEEP

    49152:gOooOuVgUCStfe1JvOloNeYIRu3aCog9BxIvVlr:Noo7VZ/fqvGuoRe/B6

  Score

  10^/10

  amadey0e6740evasiontrojanrisepropersistencestealer

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2