Extracted

• • Target

    acdec9f93eb043c279c6ae0c75a191528f31647c263dd62c0754150b6600caffN.exe

  • Size

    3.1MB

  • MD5

    4148cafd806b4ed7ed2a705aa6d49b80

  • SHA1

    4ebf1d195cda44102d747de00d8a27791395909a

  • SHA256

    acdec9f93eb043c279c6ae0c75a191528f31647c263dd62c0754150b6600caff

  • SHA512

    11938b78bfb59843a851d0ddcf5d865a0c658f1ab0923bf196931576ac9c88696fbd14e2a611811cf3904f81080db2bdb157ca7733da3391fcb67095c7a54f00

  • SSDEEP

    49152:ylaD4bVNjGTGIjd61i/RRpD6KpgXp4DOoQz7z:ylakbVNjGTxR61i/RRpDVpg2CtX

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2