Extracted

Extracted

• • Target

    5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00

  • Size

    1.8MB

  • MD5

    57417c027a4140c3e5def85c31b40a17

  • SHA1

    250b272d82e258046f49df98b076d181b87fee0f

  • SHA256

    5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00

  • SHA512

    48f25aea42c92753d380c97a81ba3b3838ba65b6a48a97ff01bfb359e8c673bf94f68c196ce3b834f9f510edad95fae7829131557a9a464e63fa7adb9b7a086b

  • SSDEEP

    24576:evUUu7weBzsyDb7y19RdBcUeraJMD4ZVDDhKh66Q0EhQm8Wttvkg13Il2fMG5Ptb:0uLBvwcUCO22DDY63bFqg13IkVEei

  Score

  10^/10

  amadeyrisepro0e6740evasionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2