Extracted

• • Target

    dd4631ff476f9d1a86bd276f62b99439b134a25cb4c014afeb3a887e287b7f42

  • Size

    1.8MB

  • MD5

    32681961fd7c17f72ea35ad400a8a4ba

  • SHA1

    7aa6e1890b4582933d9bcf97cfa3abdf6bca7dd9

  • SHA256

    dd4631ff476f9d1a86bd276f62b99439b134a25cb4c014afeb3a887e287b7f42

  • SHA512

    279959c113ab6f530d268566c3c97d51401e9fbd25d75559cdd08c0def1fd4cd3126eb9b0e7bef2f53917f83f73ba8f799666dbb27462bd0fff6ea15a7ea412f

  • SSDEEP

    49152:1+YlzZdwES91V+KjGqBR+dqzeUM1/Yjf8sbx7BgI:YYxZSpTjp+IzXpf8sbx9gI

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2