Extracted

• • Target

    b7e72b538e09cb4d2a4426f8440e88be6682a816201e0450912aa6c4068d6ef7

  • Size

    1.8MB

  • MD5

    6ecf1c3820035b297440e48cb84dcf44

  • SHA1

    4c35f6f770d5eede118c4b91c94ecf87b87b4cea

  • SHA256

    b7e72b538e09cb4d2a4426f8440e88be6682a816201e0450912aa6c4068d6ef7

  • SHA512

    984c003514e3223435503f33d4e09e4c8d58e1e2d9a17c0adf4f6cb7ae57ee89d9251cbadff22ea448a6baf20a9a83ee8ecd0b687e7928354127ace1a4a70e83

  • SSDEEP

    49152:efyKN1QX6iKWgR2BRHMGAsb2DofNRLd3QPxFLyw:eKlXvKWo2B2GtoofLd3UL

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2