Extracted

• • Target

    0925922fdbe39d656f15635e1475b3daccdcbe6aed4555e8dddba81b4e9cd9e5N.exe

  • Size

    1.8MB

  • MD5

    1b76ce01a75d21a292f4c1385d625380

  • SHA1

    40cea1325440d9c274e5c425216c9c6180172dcf

  • SHA256

    0925922fdbe39d656f15635e1475b3daccdcbe6aed4555e8dddba81b4e9cd9e5

  • SHA512

    8ebda3dd5a543c5fb7d1b7e408756f5db2b276f33af4df819e2ed8f3264efb8771d14143b7c8bb1ff0e4ea64159eb2010d9118308cf4fdd756357d07ea65e3f8

  • SSDEEP

    49152:X6bTxx/XKRwms7jgJDV2QT3pp2ARtemRW8mVT+7f:XEd0rsv4DVN1pZRtemRKVT+7f

  Score

  10^/10

  amadey4bee07discoveryevasionpersistencetrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2