Extracted

• • Target

    2e57ec4172e947304a8776d868d9bce02b481e0ba3f6dcdf33c4d53aa4ee800e

  • Size

    1.8MB

  • MD5

    6b05aab3d349d3531c436a923b624939

  • SHA1

    fd61f3f56f3ad9b5710a34407149b12aec3f93f0

  • SHA256

    2e57ec4172e947304a8776d868d9bce02b481e0ba3f6dcdf33c4d53aa4ee800e

  • SHA512

    a0f1238fd3849180f2eced451c9142ec6f9158c2315ac1dccd59ae4fdc5d967d3aa4171386b5fb5af1e18b187b967d69493c7b1caf0e96f9cd31aff289954bef

  • SSDEEP

    49152:S6PjRYgFzMWrK8b550emFBcCqczwPpX4wGN:fP1TRme/BIwa

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2