Extracted

• • Target

    b6eb388899d4437ef83ad04783220c966dcea878c4760af4dc1c186d453ce9f5

  • Size

    3.1MB

  • MD5

    578fcc6e8c2119bb0e2d2ab57c294b91

  • SHA1

    7d1e200d1f894f305828ad3bdc746a454cd9fb56

  • SHA256

    b6eb388899d4437ef83ad04783220c966dcea878c4760af4dc1c186d453ce9f5

  • SHA512

    d2d1f64f75dcb05291bba2431d6b7a82db8738cf03fa7ebac8108391adea5edf209e96acb7df9fc85ed29f5684013756329abb0bcc88751747ea7928586cb129

  • SSDEEP

    49152:XfL6+t1sP6292pRDN9PV/N4RAOpmW05Ug+u3p30cHHfA:Xf2Oy2pRDN9PXsAOpoUg+a

  Score

  10^/10

  amadey9c9aa5discoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2