Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    8f28d4d62699c69dca48c1bd99f201f332121adae49047c7547e672e0a6f06fe

  • Size

    2.0MB

  • MD5

    6d2823ba3507697ffa339fcfbbf50bb4

  • SHA1

    dd219c54f269a83ded50f04988316092ecab3d94

  • SHA256

    8f28d4d62699c69dca48c1bd99f201f332121adae49047c7547e672e0a6f06fe

  • SHA512

    8264f498304e565f1ef4f1331954fbe8c259d73471b9da8403bda3e9a7fb2dc5ffa794368d0d2b3cace3ddcbbf784b70d4d656ea761777689401935930b7d698

  • SSDEEP

    49152:kTZS63k6rR/cNiJZ+OWje721ML9kj8E5HxdroGZooOnNd6Z:kTZSZ6r1cNQZlWq72iZkjVdrouooONgZ

  Score

  10^/10

  amadeyhealerlummasystembc9c9aa5a4d2cddefense_evasiondiscoverydropperevasionexecutionpersistencespywarestealertrojanpovertystealerransomware

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Detect Poverty Stealer Payload

  • Detects Healer an antivirus disabler dropper

  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer

  • Healer family

    healer

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies Windows Defender TamperProtection settings

    evasiontrojan

  • Modifies Windows Defender notification settings

    defense_evasiontrojan

  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

    stealerpovertystealer

  • Povertystealer family

    povertystealer

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc

  • Systembc family

    systembc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Renames multiple (1548) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2