Extracted

• • Target

    038183aa756567953d50c5f949bf1589a2dab9569af4c69abed3367493597d92

  • Size

    1.8MB

  • MD5

    00fc28c4a37b61ca87e70cfe70ad507a

  • SHA1

    a89865e57b5767162693f1b914b971c1e7c50b36

  • SHA256

    038183aa756567953d50c5f949bf1589a2dab9569af4c69abed3367493597d92

  • SHA512

    24d2f7c9fca65541092d36ea3d111fa205e1f850fdf93d213516e4a4b8d93654b1944de2efce4fb96b6bfb9aea9b39b595ca9e1ff8759ea433e5c3be20ec6a69

  • SSDEEP

    49152:Ho3Cyffva7/E84xDaRQrFhKVRzihH6HPa1:mS7/j4x2RQZhGls+a1

  Score

  10^/10

  amadeyevasionspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2