Extracted

• • Target

    b3ae142a09befb0775b411fced220b4d978f78688ff9b74195d28c4fe5c4137a

  • Size

    1.8MB

  • MD5

    aa0f8f64f54a8d34abcd26fdb0363965

  • SHA1

    330879ad9208d1b8e5acfd1166f2bcb3be7cdc77

  • SHA256

    b3ae142a09befb0775b411fced220b4d978f78688ff9b74195d28c4fe5c4137a

  • SHA512

    d9d32d51ff98893b6df098d811d0bc0ae02dfc20fd835d5ccda6a013fc1eb5cddcd54abe1fb985434cb48f80a400a4dd4ae7ab0c4562b9552fa1d0b13be7498e

  • SSDEEP

    49152:E3/bn41nP3EAv9KAa3Yf1sh1zjzRmsTc6W+Uco6:Ejn4BUAVSYfOhq4c6j

  Score

  10^/10

  amadeyevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2