Extracted

• • Target

    b791cfdb59b01d94ca07c57d60b1077b796caad073f3955f3e2c8d1ab9dda9bfN.exe

  • Size

    1.8MB

  • MD5

    bf45e6a146bd6d659720c456136680f0

  • SHA1

    b6c928dca2c04d8995f6c6551783d69cec06d797

  • SHA256

    b791cfdb59b01d94ca07c57d60b1077b796caad073f3955f3e2c8d1ab9dda9bf

  • SHA512

    17c0ed7df1836bd3ed104e2bca828aba2edeb3db55da46c2e03d611912c30d2d81fa453f47927d71f25c926e498ff3f6f44ba2e7dd9c9ce0cdfc08c3c3dbf602

  • SSDEEP

    49152:Ylhwb9YAymm41GcQAHNIH/7nAWMz9prqtqi:iU99ymm41xtwoTm/

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2