Extracted

Extracted

• • Target

    6dd3d6081f01c1fb88b36ecd336005ab3571876be404efe416a7248866868191.exe

  • Size

    1.8MB

  • MD5

    6f59ce88b52487bba7eb59e81525c4f5

  • SHA1

    83bb1abc3bd3b56bec0a68d6cd0df63bcf975ad6

  • SHA256

    6dd3d6081f01c1fb88b36ecd336005ab3571876be404efe416a7248866868191

  • SHA512

    985853c822cd92ee4a1f2a04eb63ee4e6692f23144683cf40e5a402e7a81b951acb1d489c0e5292c0b78aab99787f89dabcaec5b25975f706f52c01601293860

  • SSDEEP

    49152:k7FXgGgW5JEKR/99GAdrdKZWILQ5qDjVN:kXQWkK9HFYpQ5qD/

  Score

  10^/10

  amadeystealc0657d1siladiscoveryevasionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2