Extracted

• • Target

    4da9e0f2780886e09e6df32a83c4157d90f2178943b57b019870e377849ddb46N.exe

  • Size

    1.8MB

  • MD5

    13b248bf1372254811f727e571a2ed40

  • SHA1

    6aa5c9a0b1a979a23aa0e7d2b1d2ac88eb4c8cb5

  • SHA256

    4da9e0f2780886e09e6df32a83c4157d90f2178943b57b019870e377849ddb46

  • SHA512

    5b6fa66ed167e2ccfe2d0264973d9d43046fe628fd929be1ae4ed9ba2cfae1170442815a8940c4bca86ec83b98a46400062fc2c92535d75e5e3db298caf3f8dc

  • SSDEEP

    49152:nIdOvFZhgl75kEOlkpsxlWHYmIkJ8IW8/bA:IAvFZhQVkqcHmIWj/b

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2