Extracted

• • Target

    e89a814f18e6ea9afe36ad79672eb31b83d13c31a80cb7235d7099767580f157.exe

  • Size

    1.8MB

  • MD5

    9a033ef77906ffb0b14961654a21b72f

  • SHA1

    8558ebba693696505bbea48d5d40f9c16d481222

  • SHA256

    e89a814f18e6ea9afe36ad79672eb31b83d13c31a80cb7235d7099767580f157

  • SHA512

    ead964abe4ad0b2986cb0bc436a90a91c3d7eba9510bf312974659de4c8151c75a538722471c1fc1b7c6ce43e151e15b8080861deed8c3f04f7309095bba604c

  • SSDEEP

    49152:isdNbHrt+PuB/cJKXV+gElfdo/2LpEjX+erGBTUwkSp/QBbyYm:isbrtUuBIKKcuL4Gtp4pdm

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2