Extracted

• • Target

    b1d107ad03eebe9dea02a53578c223f5af87dd4c81d1520bbb40c04ce326dd2e

  • Size

    1.8MB

  • MD5

    e5749e3d5ee5eaca5052e737f8963d79

  • SHA1

    ef60077563e3f0c169766b751ec6b4618ebb39b6

  • SHA256

    b1d107ad03eebe9dea02a53578c223f5af87dd4c81d1520bbb40c04ce326dd2e

  • SHA512

    7ce79e3f4b2f1b97e2e375299a3cc450e954f5ea97f444999103ca2c436f6e48c185c1675800a71ab793f7ce6725a8a1a11cc3ebf9a9261d800e381e80bbed6a

  • SSDEEP

    24576:WYXauJSzNTuk73AI/g5KxAskRgBMVeLDF9drBtQFpZK0AK2UeLg++DXfZz8sRH+5:W1BTbFk20eLdBtQ7SUWF2yL

  Score

  10^/10

  amadeyevasionspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2