Extracted

• • Target

    a3cc3171c941b660ae49ff608a03db98bb5e99ba723344746c943dc058374351

  • Size

    3.1MB

  • MD5

    e2bb7afb170aece6dbf53db4f0a92afb

  • SHA1

    4fe02b28a4518cec9517ba87cc90c1e0fef282b1

  • SHA256

    a3cc3171c941b660ae49ff608a03db98bb5e99ba723344746c943dc058374351

  • SHA512

    f3e2791c7af73a01303c5d2a9fec53b7973b5a02502bc62be2063325771d4b666f8d1dd5d3bacfec870262d1eaf18a4a45984803690384bebd7ec4216959aff7

  • SSDEEP

    49152:c/E2Zr1MB3pJh60Slp0HF3QYaWtK+2fVFOv+9CeJcI:c/E2ZriB3pj60SlmlPtWOG9jJcI

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2