Extracted

• • Target

    3cfa6f9ddaee69ab1d9d9d8ea3fb08c04a8da9ea55b59e812c28b7af728fb548.exe

  • Size

    1.8MB

  • MD5

    1fd6cabbd48c630878ccc0f3f64d8fe9

  • SHA1

    3c85f2c03d402cc1de7402790b61d396d276a917

  • SHA256

    3cfa6f9ddaee69ab1d9d9d8ea3fb08c04a8da9ea55b59e812c28b7af728fb548

  • SHA512

    f537d49db7af8987c6393f0dfc0442ceb9a4628fc5dd53d577d176e90c45709a7b45a1b336cc1bf0c5b9fba5b71f93edaaf5df07aab2763310502578a352bfcf

  • SSDEEP

    24576:y5tPngFSnumZNK85J4CV2JpxjFfdeOkElnHVZ//e1QnWvLkJPY7wxal+DsgN9zSz:yLLNP4q2txfdjkO1Re1+jWLGhSNwEV

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2