Extracted

Extracted

• • Target

    4e7893d0ff1bf6cfa8af1b8f46a9a33ddae7ad5fc5508a3ddd46148d694bd90e.exe

  • Size

    1.8MB

  • MD5

    5ef984ab387c69773662e8f280692603

  • SHA1

    deba3562cd5cb83f0c9f2521b799a2f99e09993b

  • SHA256

    4e7893d0ff1bf6cfa8af1b8f46a9a33ddae7ad5fc5508a3ddd46148d694bd90e

  • SHA512

    f418c5d524ac88b8adf1d4a169c438b417957acb5ba43af16f6765f96d26cd0b5516327e7b93f43846d364c8e830844d2018c74cdb881f38a149d7408bbbf00f

  • SSDEEP

    49152:j8xNtTm/Zfe3qOUnHxJ+arrIXOtAjBACqTjVuwNUoyKNbszAUc:ANh8dsjcHxJ+rXOtA6TjJU5Ma1c

  Score

  10^/10

  amadeystealc4dd39ddefaultevasionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2