Extracted

• • Target

    80bb9c013d5486e364bf67136761b32a337d86eef0d95f6825b8c3202e2a677b

  • Size

    3.1MB

  • MD5

    ee75f556e0ef4c3f8af20e442d0e00dd

  • SHA1

    f3a47cf0a27efc002e447772a320727bee9a3713

  • SHA256

    80bb9c013d5486e364bf67136761b32a337d86eef0d95f6825b8c3202e2a677b

  • SHA512

    870a210d845b75caaea5c9269bcc79704905c2f425326ac76d9a15038d47e5acffd507c870d36177bc27c8ec27fea59ec5e8d9f89c4412f66424d25b27b5a338

  • SSDEEP

    49152:doayFwXyL+94tVOs2aHtQ2H/ffPWTE+0Qg/F8S//5:d8q8VOs2aHuaOpXg/2S

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2