Extracted

• • Target

    bc26918be219501a42417f0a56597a21073c98a0ea3f20f3161335dd0df1d159

  • Size

    1.8MB

  • MD5

    50263f90ca1d10e1499eaaf7944aac1a

  • SHA1

    dd38364448ed13db15116ac8295e6c78e1d71210

  • SHA256

    bc26918be219501a42417f0a56597a21073c98a0ea3f20f3161335dd0df1d159

  • SHA512

    096b54f97c3bb5677f52f471f0fb6bc2e9a1ba0dc648d4f59f002d5777ff906cfd7bb2383b5ac622d231e8300219e3e6dc0633d9a3c27cb97eacf9194d4f3552

  • SSDEEP

    49152:ksC2ULnLZgiGFbBxdcLVkzZiLeumkw24TomBobjJhl:xinL6N8Vkdib5Biaxhl

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2