Extracted

• • Target

    cf69f87d2720d622d42c1926340408e133e4ddceb35cf41f904f440d30a62c4fN.exe

  • Size

    1.9MB

  • MD5

    ceb82cb200a0c9146b43093f70657510

  • SHA1

    3ab9c90eb09c1f6cea530c3911e606b661cc4db6

  • SHA256

    cf69f87d2720d622d42c1926340408e133e4ddceb35cf41f904f440d30a62c4f

  • SHA512

    3930892e787513fd8c060068d223ca14d3a27c5ba410973f28444b4fc3696575e9777bc991d433048d15ec7598367cfb2650008d8a3d88907767750a8575a844

  • SSDEEP

    49152:LMoQjRRxtOi2J7laOuW5JBIpiNH1TQ8SXTp+:8jfxURCSIpuHSVV+

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2