Extracted

• • Target

    45c95f735fdb84f27fa9be9bf8e7a3ddd153e47c7ebdd7bbc02b1bcd6eb8fb42

  • Size

    2.9MB

  • MD5

    5a74db1c1a0f4bc1d8ecfcab151d86ef

  • SHA1

    0d86f311bc8121cb965cc311f13ab6e28f7c22e9

  • SHA256

    45c95f735fdb84f27fa9be9bf8e7a3ddd153e47c7ebdd7bbc02b1bcd6eb8fb42

  • SHA512

    08facb06c4c5a78086de1416322ceac7efd3156af883f97e228fa7c0c85913b1cc4a2c807d0ae9078df3891e9896c8d21a638aa7f7f0472295e7578fa5b52209

  • SSDEEP

    49152:d3d990H/yYLroDDVPz3qjB2cSZPadlczskirrZl:pd9mHKYLroDJ73YB2PPX4kirj

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2