Extracted

• • Target

    9cbbfd802bbf6a3b892b6e86da85586f4fd3b67045962ecda8c773cedb966671

  • Size

    1.8MB

  • MD5

    5518feaa4da858d0976daf63282da02d

  • SHA1

    ddece443be8d3add12d0088702c24d6cfe80c60b

  • SHA256

    9cbbfd802bbf6a3b892b6e86da85586f4fd3b67045962ecda8c773cedb966671

  • SHA512

    2654b1b47a13224093536621bb60b08cae363c3181668cda6d72f123e6fd73af3ebd4416b49ae2424915424401150cccada815c1dc5ebcf6ca5945453b336e9e

  • SSDEEP

    49152:jd3Y4thZ5Lrgcns0S51zmoOi78m2A+4ZSv9HuCaU1:jh5thzrls95AoOfwtwVHuCam

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2