Extracted

Extracted

• • Target

    8eaa7ad34528289684777fcf058947abb8ce4aab282ecba9a4839feda9005663

  • Size

    2.0MB

  • MD5

    d6d3e6909f25bf38ce55fe6987ff2097

  • SHA1

    212a5e74484221aaf673e1a18943da47c6459b8d

  • SHA256

    8eaa7ad34528289684777fcf058947abb8ce4aab282ecba9a4839feda9005663

  • SHA512

    005d5a88271f58113be5354700863afc8ff483b61af118d5f5b5c9d5b9fc52e4d7fb0d50e9d2aab21a5ff143df5a92f2a2f37b94670d3ae461f74011064b162a

  • SSDEEP

    49152:uyyiRpW5NO7AWKLdi3cbRqKnf2hZlZasoKPhHWl5fBHDx2tN:38WEVqKOhZWKpHWl/Dx2L

  Score

  10^/10

  amadeygcleanerstealc9c9aa5renodefense_evasiondiscoveryloaderpersistencestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Stealc family

    stealc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2