Extracted

• • Target

    0fa242fa225911b8c835f4e583e03e79e5b243082677c7c43957814e7227c649N.exe

  • Size

    3.1MB

  • MD5

    d2c2c190e35b6a6699417a9b19ff8980

  • SHA1

    e676456ca2397e3bb10e76effb4d0395ccc1ad8d

  • SHA256

    0fa242fa225911b8c835f4e583e03e79e5b243082677c7c43957814e7227c649

  • SHA512

    b78baac3c38bf1753ef5d188bb74c47f8ab6c58b0601b6c9752005a52887fce41de1e7254b720690319672b3c996257ad842940be8c3d2b89b0afa23f92faf13

  • SSDEEP

    49152:2ZhG2Xa++0zjTTPTLYhECvD21Ifus0m7Mm+k8tDTYDb:anqfIjTTPTLcEQ+2Sm7b+k8toDb

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2