Extracted

• • Target

    60e96b3d426418f0c91ae353d30c55adbfa60182f684f84a7657e5a07338f570.exe

  • Size

    1.8MB

  • MD5

    4bc7776abc694066adf8b7506ba4d540

  • SHA1

    be2a421fbc2b9aacd8a366ab8a127e62f2521d4e

  • SHA256

    60e96b3d426418f0c91ae353d30c55adbfa60182f684f84a7657e5a07338f570

  • SHA512

    4d756d3872e42cb589fe0b8b1507090452d0dd37ad8562cda4f76989a7642478d016bc4d650d4fb4d7cad7142d7a37cf747d477eb3811c8a9ee40c5a9a4d2ce5

  • SSDEEP

    49152:Uwg0AEKh+JcngNxupyhoe12eWB8OtGClEzIJ:UwdAvcvNcpyhD3WGO6E

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2