Extracted

• • Target

    101c869602046c8cfae8c74b3db6ebfb5bf680048abf3a2f940053c820a72607

  • Size

    1.8MB

  • MD5

    35332001f29009e4edb6fc1caa74ee91

  • SHA1

    71fb1ef92968f908736b0f3c7fbf0bef15122a07

  • SHA256

    101c869602046c8cfae8c74b3db6ebfb5bf680048abf3a2f940053c820a72607

  • SHA512

    e45a496d86e8aa0b91c8d2ab10555091bcdf0775999af44e204e77f3767ebeac35ce6fae1ab4b56fc2f7903eb3e62c4589aeedb96ec3bc6af2c925a80b75f947

  • SSDEEP

    49152:3FXFaQVCqHfd/i9yTMSSYn9Pb3LHiVRr:39FVtr5DROVRr

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2