Extracted

• • Target

    28c6d999595b8237fcbc048ef4811ffc5645a613d8984f9059a1e37341dda983

  • Size

    3.1MB

  • MD5

    7d74dd0c7fb90a8b6226fc529d8148c3

  • SHA1

    f92e250732c614e1a64da623392fcd2fd28881db

  • SHA256

    28c6d999595b8237fcbc048ef4811ffc5645a613d8984f9059a1e37341dda983

  • SHA512

    a9a9ba66a08ee7dfc511dff46a0281ff325b0c668efbcb86666a317907cc5f2887c2b268d2ce4503dc9bacb18f5a1916571e72f4becb4e4e12f8af822fff1b0f

  • SSDEEP

    49152:EL6KgMu0PgJFKt+vMl23skJbiRIJY2i6DOya:KQ0PgJFKo3lJuSDa

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2