Extracted

• • Target

    9df824631d77d06bd607436b7b110ed2c4359c5f31b951da63f6dc06dd4c4702

  • Size

    3.1MB

  • MD5

    c86a777661ce6c3db00c1ba85c324ca7

  • SHA1

    836a455f2eb9fe07e304938e09aaf7fed7367da1

  • SHA256

    9df824631d77d06bd607436b7b110ed2c4359c5f31b951da63f6dc06dd4c4702

  • SHA512

    5107f115f76662ec1118e7519724d14cae204420087628f46a8ae9e5ab3f4939be325e79a66ed66a95c4899f267db671e2e74ddcf39439f43d0093eaad88696e

  • SSDEEP

    49152:cldAfHCV/h2UM4foci6FuHZs1Z1xkR2hRXnxrJE+:EAfiV/h2p4QhWnu8fhre+

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2