Extracted

Extracted

• • Target

    b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d

  • Size

    1.8MB

  • MD5

    3ffa502d38a0841f54f2bb96f34eda85

  • SHA1

    d152f8ac6b6c1ecb8f80b77f2182e6e42e43b731

  • SHA256

    b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d

  • SHA512

    5a4896936a85baab8e322618683ac72091d968253f2cab2227c7126365c07ae9ce3f19ab3f0a4f1d690773d7ad702b70da786f68e0c60058d2d59dc2f08a6dca

  • SSDEEP

    49152:jGgRd+om5zN3V9dOjDMxzZeCCWWDa+DhBsxVbeCee:jXRd+T71eTuaMe

  Score

  10^/10

  amadeystealc4dd39dsilaevasionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2