Extracted

Extracted

Extracted

• • Target

    6c9ceed93757cb48ec7f85f483cd906fb9a24e4e394c84f130ba07a23724c990

  • Size

    1.8MB

  • MD5

    486e4b2cf76db3355297c22657657c14

  • SHA1

    ae1a2d6c2e5bc188961e2ff13b1c7187df5e7946

  • SHA256

    6c9ceed93757cb48ec7f85f483cd906fb9a24e4e394c84f130ba07a23724c990

  • SHA512

    2b35323422c1aa7a377f0b271a08623e057f2ab5263469e3014cfda52e2c09ade58b7fbd2f7db6513c66b4b2029bd437ef2dbca73256b325499a6dc654f08125

  • SSDEEP

    49152:+dy5ZEGoBGfMvUDD9dfYx9Vs6UEv22FJihh5:GyEtGUv05dfY7sQe2FJM

  Score

  10^/10

  amadeystealcc7817dkoranordcredential_accessdiscoveryevasionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2