Extracted

• • Target

    00ae107fab488b2feba9d94280ab5117d0c75a72dc2c55fc7399936e1603e59dN.exe

  • Size

    3.1MB

  • MD5

    34698d20fc8c87a206caea0be81baec0

  • SHA1

    4a968187ff69f12c884660cc9737448d34bb6f99

  • SHA256

    00ae107fab488b2feba9d94280ab5117d0c75a72dc2c55fc7399936e1603e59d

  • SHA512

    9f42011c1dedd311df273dccba378cee1e86251df7ec50d84346d374844b88b809278184b711f09924c5ea6a357d8f1f692bea751ee54161217d0a0b5ce1e713

  • SSDEEP

    49152:ywGBwlj/Lj/jpJnpCzr0+eXOVJ/n8fDNINsxtdZ:5GW/Lj/jpJnQzY+eXOznoNUsxt

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2