Extracted

• • Target

    c4dd95cb7c3ee36faafa00266ef173df5cec96d1ae5604591b0ed9a77fcd0b9f

  • Size

    3.1MB

  • MD5

    6d7ca0f47b89ad48a11b0f47927cc3b9

  • SHA1

    4aa35099ba998ef195d55482ed19a6f62ddee362

  • SHA256

    c4dd95cb7c3ee36faafa00266ef173df5cec96d1ae5604591b0ed9a77fcd0b9f

  • SHA512

    bbd148d67186b7b0cd23ef7a5f0f9b7de5c145b696e75b95893ba16fe7efe306d6c4dfaff4b53631523ec4461e99885b49bdcf9658c43ccb59107315908f4688

  • SSDEEP

    98304:L2tGsngZDbM1GWvEbdeir4cb0k87VY1xUpOQ8qdiM+C:L2RDvSz3R838qdd+C

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2