Extracted

• • Target

    51e1690c8dae8c51021074ecd80e486afc7d43600fa83f02d4b1b6939a2ee815

  • Size

    1.8MB

  • MD5

    35baa3d5b131220a144c40f7a16bf0e5

  • SHA1

    117cd53d0364b66ad1fa92ca88a4a2e17a6a29a2

  • SHA256

    51e1690c8dae8c51021074ecd80e486afc7d43600fa83f02d4b1b6939a2ee815

  • SHA512

    38ff2977cf66ba1e1624014749824154e6b9e85e3b3f75fb17218073b1c008452a44a0c6a4163f9394a29ccadafe976e3c53656830d690cc2f9deba68b911aa0

  • SSDEEP

    49152:FGSWOhg78vebELW13DeX580g26h9H6ReEFX3lwB+i0DNoom1Gl:FG3i2bGWqx6Uz7NoomO

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2