Extracted

• • Target

    c3971145e5d37e1540c16715940513380b76d22996a8f2205bfcce242b535719

  • Size

    1.8MB

  • MD5

    0b539e2023985e6875d30f1ed784bdc9

  • SHA1

    16895c9f7edfea6493603e207bd1233d8400e2fb

  • SHA256

    c3971145e5d37e1540c16715940513380b76d22996a8f2205bfcce242b535719

  • SHA512

    ab3243ef2852f29a2d13a911d3100765f63ed71c055804e681b6b6d8170d97ce6dc9722aad20c0ce44be4f625495631f62948c6d7ca7ac053a150a8a3f2a9cb3

  • SSDEEP

    49152:dkKfWGBUoxpJycKJ3F/QY6xHDDAIbUl62Chr:dduSf03F/Q3P9o4J

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2