Extracted

• • Target

    f7c995b8d3481421995d3e9a96e01507dada23cff6d29ed1f32403f3ec56ec28

  • Size

    1.8MB

  • MD5

    f0da729f8b69e24b0ccb02d116a7f2c9

  • SHA1

    44aeebc056bfcaa6dfdb48e69c4db4a1f690d127

  • SHA256

    f7c995b8d3481421995d3e9a96e01507dada23cff6d29ed1f32403f3ec56ec28

  • SHA512

    00043c5a303fba2e7a6bfd8daf18e05a2bceaf01256f8acffaa75dd0595cc719e313759319cb80fb959be7ee862737d0d80ca47b35186567c43f6768809d3f87

  • SSDEEP

    49152:dk98iw3Zg9G/psC38NnaMZ+f6YagQryTooe2Ie:mit3ZD/um81jZXYoCoxe

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2