Extracted

• • Target

    a810c28dd701ef82ae88f9037c8e964be77b030f9488d9688c3ee2d94827239d.exe

  • Size

    1.8MB

  • MD5

    286992935c2e8d07a9489d522d9ec9c8

  • SHA1

    f3847fc0d8a1b7c55578a86cef9faf5c53da024b

  • SHA256

    a810c28dd701ef82ae88f9037c8e964be77b030f9488d9688c3ee2d94827239d

  • SHA512

    3a6819aafff7a267ec167e514d9dcf912117243363771dd9937c28b470d975a1741aaea6b5680b833bc9c0dd4fbb6b9d02a7e9131d57deee627cc33c6c94e309

  • SSDEEP

    49152:9Cy8W1NOoIeXszrk21CHsSegwCwcjE784VoEMR2RZ/:4yjxf4r3/a3d+bDV

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2