Extracted

• • Target

    d1763245c853a81851cafc13b4374281198e6858c46385005ff9a44a82099b55

  • Size

    2.9MB

  • MD5

    05429f1c913902979e2c14f72809da9e

  • SHA1

    721aa6a7e6ce7e5f87ec6607591bf7329a7e350f

  • SHA256

    d1763245c853a81851cafc13b4374281198e6858c46385005ff9a44a82099b55

  • SHA512

    015fce11ffb3b7e5d50725e4d23aec10d342e07dec9373ed8fdf3796f02fcf03eee594edab8311e6f1d2c25f74ef903af8295e33fb40632e8bafa9a133fb4ff2

  • SSDEEP

    49152:JX3bMwa71VhXDzcVRLT7ywYCqffIkO/gtrOxRcxJaJc2+:hVa71jXD+RLqwEgIt+craT+

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2