Extracted

• • Target

    d0cc4152b748124f408722d01a7db1d86b4c58984335fb0b3e94cb7b64ee4ec2N.exe

  • Size

    1.8MB

  • MD5

    8d3d1606a253a447ae70f758200dd960

  • SHA1

    e3d807a74604fef657225bed525d6736ea621417

  • SHA256

    d0cc4152b748124f408722d01a7db1d86b4c58984335fb0b3e94cb7b64ee4ec2

  • SHA512

    a65d4df9049f276bc623666d5cf567f14517f80aa4ea37aa922c147570ee6e35b0f52984907be7a889caaadb504286b46166d61f1862cb69b3117f50b1f56058

  • SSDEEP

    49152:DgPquKgCWWHIk18EUIWNGfxgiz2zmv+aVcrM29n6s:m/cd8EUIWNmvpkn6s

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2