Extracted

• • Target

    9f5ce4132d2f5993ea7bd7664e9796717266ae2b8c0b2409bbd8af3c8723f22e

  • Size

    3.1MB

  • MD5

    6c98fde238946d932ecfc0243ea9e21d

  • SHA1

    3fe8b50191dd764a619d861c2654fa532a71cd93

  • SHA256

    9f5ce4132d2f5993ea7bd7664e9796717266ae2b8c0b2409bbd8af3c8723f22e

  • SHA512

    a49645198e249f00e49163139c920b9680c3507049b0640b7a473643a9f68b14ce470a97c8f66a98e60ee9593bba0a6b146f8e89af60708868aee1909b0b3179

  • SSDEEP

    49152:ynLcUzMwK9S2Lk9thaf7Kf/RBayHU/rVwLn:2MP9Sl9tY7Kf10/rVE

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2