Extracted

Extracted

• • Target

    ea138d7d66a019829246b7a005aeae4a983054dcc7f2785148a8891ecbee03f7.exe

  • Size

    1.8MB

  • MD5

    e9032bd6b7f9a11522cedfca03475bd2

  • SHA1

    c40aaa57ea60cf8e59eab614e9964e8b918da330

  • SHA256

    ea138d7d66a019829246b7a005aeae4a983054dcc7f2785148a8891ecbee03f7

  • SHA512

    cd09ea873547c8481efe93b1c22d51c40ab29469d5184a56632b61811c596a5d042349c56473da86066b18c4068dc75cf2a1d3941ee0833f0b51115808f5fbd1

  • SSDEEP

    49152:a6FQLJIs5Yt1UfEjICgpaQ3/v+GHRRM3l:hqL0TSv+GxE

  Score

  10^/10

  amadeystealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Stealc family

    stealc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2