Extracted

• • Target

    20bb07316210f19bdbf49324dc76f47d552bd9e96e27004fdeec390031cc96a8

  • Size

    3.0MB

  • MD5

    fae9757850b1f67c289f0e6330c6da7b

  • SHA1

    ea156f5bca6d36217665274fb3d7d418de21d8fe

  • SHA256

    20bb07316210f19bdbf49324dc76f47d552bd9e96e27004fdeec390031cc96a8

  • SHA512

    e5f63b3441831a756c320c2d708934182700bf9318337ba145f4caf252cbab78daf5263d8eda2e9c0e11d143fef2a1793f6005d935547f42c6e61e76739773b5

  • SSDEEP

    49152:Tf3W2ZkrkWP1hmX6WV2JJ4Ie1keskCRo/cUCOLWiK7NtO0O8C:Tf3pZkrkWP1hc6WV2JJ4NyBRoERYWkk

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2