Extracted

Extracted

• • Target

    c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec

  • Size

    1.8MB

  • MD5

    0723f9a966b2b172a054f8b8c5635cfb

  • SHA1

    1cdf9fd19fd91d1f25eb91bab190a35a22337163

  • SHA256

    c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec

  • SHA512

    3cdef4d4d1f7e6f69d629d926117ae34cef5ee59e9a524e37c7ea2eb877f2be133100c021189cc956bdc2b5c45b498f9118c36fc66347f3df7fe2a51e708deee

  • SSDEEP

    49152:PMWKPhn7oQT89EhEceDepxJXt6KYyUZBzTyYn/l0sZxcIJMOc:PJKTT4DctaJNZBzGuqsZdJ

  Score

  10^/10

  amadey0e6740evasiontrojanrisepropersistencestealer

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2