Extracted

• • Target

    516f82cf5155ee5aef2cb28ed1409762b91494a0f3af7ed3262825fdf90ded2a

  • Size

    3.1MB

  • MD5

    16ad05cd6027ba20571e8eba43be11bf

  • SHA1

    aaf315c32efc8e93dedc71656e87acd72e6aa1df

  • SHA256

    516f82cf5155ee5aef2cb28ed1409762b91494a0f3af7ed3262825fdf90ded2a

  • SHA512

    1f8c8534fad49cc8a5970012fd345ac8ac62d7124e8900b4348d53c5514c7645017c7da205f2937b323a031391b7ce0478f76efc8215c612fa4010e2f2471f24

  • SSDEEP

    49152:UjWjPaQSKexaSHrvRs2xrj4ItQxs39a9MCzcu0Zotls:UjOaQSzIYrRvjdtQAkMCzQ

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2