Extracted

• • Target

    74b5290b8e5833a76884a28980c7f5ce27f6757109759848c5437a7410ef020b

  • Size

    3.1MB

  • MD5

    0e1a8ebf6eba102aaecaf8f7c5856223

  • SHA1

    05a7580a01e5e9996ba6267e515bedb75fbe33bf

  • SHA256

    74b5290b8e5833a76884a28980c7f5ce27f6757109759848c5437a7410ef020b

  • SHA512

    c299b26f9cb948d32e24cb1101f53254455c0056b00a035781f47563a61fc52caf5fae0b1209253e381d5e7e67b662574451308da8c7bd67c103a0af233e7d7e

  • SSDEEP

    49152:JPW9Z4C0Hg4yOW6wpKuUV0Ikh7IbeI4gv2ShDLyRNLTyEt0p:/A4HW6wpXUV0Ig0tpFLyTyEKp

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2