Extracted

• • Target

    db9516f0eacf8b582b23529e92bf8105f34d397dc68753b5eecd2f68ad760efb

  • Size

    1.8MB

  • MD5

    964a4d1bec06fb43472743526069fad6

  • SHA1

    1197831a7fdb37fc22eaf2760def19b15e291e7c

  • SHA256

    db9516f0eacf8b582b23529e92bf8105f34d397dc68753b5eecd2f68ad760efb

  • SHA512

    68f436050424fab67fe6b9bc25a9321cbdeac42eb73a2a1cd62eac211b17a58d470427b6f93f20b60f8abf007f099c097a89662364cf57e25802d00b305aa352

  • SSDEEP

    49152:aql+YnHaZtSVzyNlsGldRHsRxs+NJLZqmJNS3tw:+YHakzyNmgdRk2+7LZqmDS2

  Score

  10^/10

  amadeye76b71evasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2