Extracted

Extracted

• • Target

    d9c0e7625329b9c334c1e7b651705092b952f9380d9f57d1c6bae5ca947f33d7

  • Size

    1.9MB

  • MD5

    fdcd8bbf65e17d1bbbe56d9f2ff603e3

  • SHA1

    70d11950aafc98b3a18b6ca3088f228fc4291078

  • SHA256

    d9c0e7625329b9c334c1e7b651705092b952f9380d9f57d1c6bae5ca947f33d7

  • SHA512

    e8ec0edb5b812c7860d10f83e56b379e3621832d955535e88bebb3034cb7af954807e1be90ac4f3c9232451ac36d24a4f4658fae3cbb9d406dfc4bcc051631cd

  • SSDEEP

    49152:mYOoJgl+634bx5gDZZZiq1YabN3PHbkf39fk1nW5/o:wonviriqyy1HilkY5

  Score

  10^/10

  amadeystealcc7817dlevacredential_accessdiscoveryevasionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2