Extracted

• • Target

    fb61ce1f44e6dac66f74913139901ff98a67dd41067b6c1026c3b60e5780b29d

  • Size

    3.1MB

  • MD5

    a6f6891fa625bb88fb785f4298b7d9cb

  • SHA1

    af3b8422ea1782dcea0bd0273aae8ccc8af394d1

  • SHA256

    fb61ce1f44e6dac66f74913139901ff98a67dd41067b6c1026c3b60e5780b29d

  • SHA512

    dbfb769e72e61db186105cdc2e114658b9f71928a6db7bcf87f5fb69fe5c3c5fe85446bb721d22add887fa87633dde76ce24f37e11cc648842fe8b48004a003c

  • SSDEEP

    49152:FL7fvQ6UCXF94rozobptoByCoUUCUTy3ucnZm:dQJWr4rozEt9Czb3PZm

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2