Extracted

• • Target

    c847141c27e026398cf59fe786164c4870f6497fd9445c8b82925dbbfbb5c96e

  • Size

    1.8MB

  • MD5

    365a35dfa8852e12b601763f8b8caba7

  • SHA1

    be193b78933e268a1153e449486b358332fbfc36

  • SHA256

    c847141c27e026398cf59fe786164c4870f6497fd9445c8b82925dbbfbb5c96e

  • SHA512

    3ad532524668517b26f8d306155b93f884e81e827c2b9f45687b7ed59c2976284c46e868990a821979af9deb65a66dc30371749613d25214afeff7e94f6c8411

  • SSDEEP

    49152:FrrmMEvIrLnEbXDycj9zfPk59XYy5iYljdBa0T:lLnAXD9j9zfq9XYox

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2