Extracted

• • Target

    ad47bc8e31783a38b2e99e65c3976d66478ab200baab6790fabeb94e464f4ac8

  • Size

    3.1MB

  • MD5

    798ebf4f99b115e0c36c20784795a44b

  • SHA1

    96d1af6618cc05df1d4a5406b423b73718c7cea9

  • SHA256

    ad47bc8e31783a38b2e99e65c3976d66478ab200baab6790fabeb94e464f4ac8

  • SHA512

    925d83a61ba020ec3000f95461273aa1055fdd042d099f6c8d2239298255d95319f496a55355f61ea8d80c5d6601cc419f0a5d0a2dcc84eeb3d38f59d3dd8c4f

  • SSDEEP

    49152:5aTIIbIVsRgWA8RLrRqAXpc6UdkojYZ1Gj9jfDDVeH:sTIIbI+RgD8RLVqApc3dkokD6fDR4

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2