Extracted

• • Target

    7883a75320d53f5561b3e9a8c2fbe525413ceef47ff435e7834d62a9ffde14ad

  • Size

    1.8MB

  • MD5

    644d55ea767b2ec3937c9b41ef6ab624

  • SHA1

    4f144da2f65c259b3a663369f55063feebae9c28

  • SHA256

    7883a75320d53f5561b3e9a8c2fbe525413ceef47ff435e7834d62a9ffde14ad

  • SHA512

    bd24f804462875bc3a7c78e07248f5f1eea4e0649e21ba8858622bcdf00229a85c7457b8ffd87e671677f3727cbb641d936e87a70f8ed052c5a2299108c401c9

  • SSDEEP

    49152:T7dybQKjESJDHCgpaZR16X8BEXmMS4xppIvTUVwmX:nvkBJOc4AMBlMS4xkbUO

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2