Extracted

• • Target

    cd382ef8521c6dafc7eba8ff58373be650f8cfb9142133e1ef9decf0a93fa2bd

  • Size

    3.0MB

  • MD5

    2403937faddd91bc030343f0369d4bc9

  • SHA1

    368d948876e5add93853813dc5cbb883aaaeacb9

  • SHA256

    cd382ef8521c6dafc7eba8ff58373be650f8cfb9142133e1ef9decf0a93fa2bd

  • SHA512

    1a769dceda14513b1fb9c801b9c30d8356990edc65e769663f4ce7c8ea71c6727b82a331681c0df613fbd4da12ae3ad3a8ff588f09f6ab3f78746262873e77af

  • SSDEEP

    49152:RHbEBmO8y5pCzutXBzmdLKP8dztZEPfBXfJrpm3yf:RH4B4y5pCziXBzyLnVtZsB

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2