Extracted

• • Target

    838f8660935fef9a82433c606686bbcf9ec2e0baabfd836c570afce41075ea6a.exe

  • Size

    1.9MB

  • MD5

    825a73488799385416bc7357c0dd4440

  • SHA1

    204c31c1eea8d62994a14f22959bf6755305f46e

  • SHA256

    838f8660935fef9a82433c606686bbcf9ec2e0baabfd836c570afce41075ea6a

  • SHA512

    a9b473456ea5859de88a795355a17966ba6aca67c4941efd169736da3809bb5c7e06a57fe2e2b7a1d1db4deeea56a9ffdacd8be2b60cc958afc98bf61310c696

  • SSDEEP

    49152:LMoQjRRxtOi2J7laOuW5JBIpiNH1TQ8SXTp+g:8jfxURCSIpuHSVV+g

  Score

  10^/10

  amadeyfed3aadiscoveryevasiontrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2