Extracted

• • Target

    603938f595af3a87bfa9aa8bb32786e7e281dd49dd9562766febe381867972f1

  • Size

    2.9MB

  • MD5

    38ec94364985dc8659d0ca14d1055285

  • SHA1

    98107fc8ab309129a20731c5a5afa5f70cfba049

  • SHA256

    603938f595af3a87bfa9aa8bb32786e7e281dd49dd9562766febe381867972f1

  • SHA512

    84dd3688dc9b10d0eb10d086b7afb4d259328a2e7e27c034a5f496f49f238838aee0091e8b3cc89eb3b6be61a5e4db6018387cb9ff09d68315da6b04d4f35e25

  • SSDEEP

    49152:QpYiywBKlEQwGeVnIR+wrJWtZ7SL4W0cE6M:ZiywBAEfGeVIRHJWCL4W0cdM

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2