Extracted

• • Target

    99f093cf9fd8a2fdeb609c9ec86e3af5267a0794e6bac15d1c5838d2a700fb4e

  • Size

    1.8MB

  • MD5

    ef1412117a0aa964b11f5e5d4f535c46

  • SHA1

    a9319c7c7c05d00d26f4b4b2740b61ce77dcb9d2

  • SHA256

    99f093cf9fd8a2fdeb609c9ec86e3af5267a0794e6bac15d1c5838d2a700fb4e

  • SHA512

    3f1638ab19758b9e33785d2ad8f330317ad1e6bdab0d66c6b1855d6f82ca821d27714c01fbaf56d5b9cd90d99c6245a4f84a774004d66d7ec228beeabb7dd28f

  • SSDEEP

    49152:+UXM5pOFXNw+/CWX5hUUBdJ/8ceptKg/QCCR:+L5pMOGhFh43K

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2