Extracted

Extracted

Extracted

• • Target

    aa6ee7a8c996fb88fca8a69ea1b26245e6a7478c3ac4870b8368b6a884651416.exe

  • Size

    3.7MB

  • MD5

    ff6cff4780baba5309245b2bcd2875b2

  • SHA1

    46477dcf2b206065cecbe1e5f35de6426efa3765

  • SHA256

    aa6ee7a8c996fb88fca8a69ea1b26245e6a7478c3ac4870b8368b6a884651416

  • SHA512

    6ec4cc5be93193dfce868245e96a7e7d1e20198feb02c73c04fcd1b84a6928a69492dd3894ad31d7559cc6cec14e3395a5f144753aab1b4bc4822160ea0fdce0

  • SSDEEP

    98304:7+qe0GgBut4jxYul/1z88VRLIyQ5AGHT9Mf3sKB:7KwuQ7dwIIyyA0MfF

  Score

  10^/10

  amadeyasyncratstealcvenomrat9c9aa5defaultrenocredential_accessdefense_evasiondiscoverypersistenceratspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Modifies WinLogon for persistence

    persistence

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Stealc family

    stealc

  • VenomRAT

    Detects VenomRAT.

    rat

  • Venomrat family

    venomrat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1