Extracted

Extracted

• • Target

    977e7a47f360bba3fb56459cf88313a5e33a58f9012e8f2afa152ddd12a21ffd

  • Size

    5.0MB

  • MD5

    acb3266d0eaf73aeed8ca7cf72db2048

  • SHA1

    5c9a7988f19f35a56ca71db05e35bfaa3c047b97

  • SHA256

    977e7a47f360bba3fb56459cf88313a5e33a58f9012e8f2afa152ddd12a21ffd

  • SHA512

    a3077d5cce730f935b704908eb9846b57ca7738aa9ff245a904b3f5daf507fd75a77665e5dc1d3316c909ee7cc0bd1c7ff516ef56244926c2aafed0c3ebbb168

  • SSDEEP

    98304:N+QLZhpPUpY4Rhq5KJ1PM/4smlOUHs9GhMeJq0ubY4MorvL:4yZ8pYwtP+Jmld8eQBrv

  Score

  10^/10

  amadeystealc9c9aa5stokcredential_accessdiscoveryevasionpersistencespywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Stealc family

    stealc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1