Extracted

• • Target

    2b38d8f2a7c18f5aaab9aaff3ecb9959e3b0d53d2c3261ce4a31bf209357c1a2

  • Size

    3.1MB

  • MD5

    a64fd1f3f82338a26883a804b87d0c8e

  • SHA1

    f6d23a8676c036ae603cb4fb7d653785eb6ef987

  • SHA256

    2b38d8f2a7c18f5aaab9aaff3ecb9959e3b0d53d2c3261ce4a31bf209357c1a2

  • SHA512

    6816f464411c0fb56946df21d382c41f336fdf8201ccdf1f809a282f4d7708a3cbcc58a0ed87a5122aaf2f4b39f9b1c66231a84b357c5767323ee85a0ded6cc4

  • SSDEEP

    24576:fyyVREfG6Xc0qWILpq0Gx9tikX9X13n5u6st1hECknauC7WN0sMKnGOjwOan113p:j3R6Zx9L5C4IiFcr1NFTrHfp9F2U

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2