Extracted

• • Target

    acb35ba33697a598180e2a837e9573357c989844b189a950637585e30b9c4c14

  • Size

    1.8MB

  • MD5

    db11f61c5ce6c92a0e4dc65944987781

  • SHA1

    20f5aa137a21017721bf178269128f80034bac04

  • SHA256

    acb35ba33697a598180e2a837e9573357c989844b189a950637585e30b9c4c14

  • SHA512

    a7d49165b695d2a5cf56366bcbf0fe1b5c23542fa2a13b637cfb3dd3b7d214b5167bd8cc5f3ed1e745118ea3b0dd25caf74b6810546b1cc65e7bde9bdb4184c8

  • SSDEEP

    49152:axdFW1U2idViAFoGz3+FOmdNq3iFAhwjmbOKiTl:wW1UlEAmGz3+FOmgqSbYh

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2