Extracted

• • Target

    10b4e10a2ea87dd5cc06b2924cd8ff1cb7f90b89719017e95d9c746021f30fa1

  • Size

    1.8MB

  • MD5

    7f84fef1e9da6502e7d41c0d4f326b75

  • SHA1

    0e718ac8f878f07526428fd44709f798f1808d7e

  • SHA256

    10b4e10a2ea87dd5cc06b2924cd8ff1cb7f90b89719017e95d9c746021f30fa1

  • SHA512

    7220f644065f4845a29c361557cd3ba5d97c8c1ceef8603308e85349920336885413e2238d7dd5e831dd0c6c1aec83bc45d4b966e32ad1f4e7168a0883520c1e

  • SSDEEP

    49152:mZZrpcoadNECxYPmHCPampPzRbqQlNO8uICfyhMH:mZPcoanK3bFlE8RCfymH

  Score

  10^/10

  amadeyevasiontrojanspywarestealer

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2