Extracted

• • Target

    0ae2c8acbddc48dd97f16512c7f8e00442411f9e3fdca1253d2a20d480030857

  • Size

    1.8MB

  • MD5

    71daba5a5cac27f1ba8b68a2b73f8ecd

  • SHA1

    25673a28eb575db5644158f630f679f33c51908b

  • SHA256

    0ae2c8acbddc48dd97f16512c7f8e00442411f9e3fdca1253d2a20d480030857

  • SHA512

    9965a705a6c6fadd432d86a4e4b387e93a0ddc2517372143f77051e65c046d246719c59919f787b297eeb5918f4ffa7afb0e7ebdb41f1d2b68d9aa74804da82a

  • SSDEEP

    49152:5faLYI++gAFsG+pvgCVprZYuE6DGjo7EvxAx:VTwJsG+tTZlDJoSx

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2