Extracted

• • Target

    0bbba72e359957fcd781d52bf3e3bb3d665acecbf5a03e8bc1be7ed9e67a2d43

  • Size

    1.8MB

  • MD5

    814b442983a15a5b467db674b725b953

  • SHA1

    65a555c9d21eb4ba3d9cf82d594ef3b20f5f42d3

  • SHA256

    0bbba72e359957fcd781d52bf3e3bb3d665acecbf5a03e8bc1be7ed9e67a2d43

  • SHA512

    2525635ebfb3b734f3c08398e7bd61a643f2f57c0e25fba3bae94ee68ed318a68554d8b6ea231ce4c211ce5ecc91f9f5b2c390362404413aedbe0711d2fdbe76

  • SSDEEP

    49152:HY+b+81TaZc8PR6mpvRc+bbnPSosddxGu+Yonj1d:4Y+nW8Pl5XXspGL7

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2