Extracted

• • Target

    a591bec5cac7d8e2671068c88e3a41808e55888ce9220093a11b93693a0ad4a2

  • Size

    4.2MB

  • MD5

    ff08c779369ec52a4f31721ec5f21cc0

  • SHA1

    b5e80fe4ef98fc0ac23223e6edada3622d63c0da

  • SHA256

    a591bec5cac7d8e2671068c88e3a41808e55888ce9220093a11b93693a0ad4a2

  • SHA512

    0633a4ce0eead922cb75f4bad15d419213d1bd98fedf351ed4f25204d7065ad21b24412e985ba37135e77b41daa05119a7a731282b1e3676c9007b7a71724b4b

  • SSDEEP

    98304:aXQL86ZtG2fZyxobYPe9qVg8xhctOiJbA/N5NOL9L+xBgq:aXCU2fZWCYPe9uhg8iG2R

  Score

  10^/10

  amadeyevasionspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2