Extracted

Extracted

Extracted

• • Target

    79e3c982bccb1dfc82910ab4a93080f1bb98f406e170751f118a6e49a0955e35

  • Size

    5.5MB

  • MD5

    37dba1eb6b423de4bc99daa73ad84735

  • SHA1

    6e1857c13eff12a4af572ea4e0290774355bd068

  • SHA256

    79e3c982bccb1dfc82910ab4a93080f1bb98f406e170751f118a6e49a0955e35

  • SHA512

    2f80a10403e86fc25f0006398ff9c7710beaf981da15afcda9fae6a1e55b9aee194412223abd39462f8556e97f82fa977c1d076167b5fa30dd467db88783b053

  • SSDEEP

    98304:+D+rKebSGX1X+i6Uc2zB8EQd+Et/DSL5z7LQUVEmuMAFM/xQIwfh8w1q:9K2N0+Et+1XLQHmPaIO

  Score

  10^/10

  amadeystealc9c9aa5bratdefense_evasiondiscoveryexecutionpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Stealc family

    stealc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1