Extracted

• • Target

    8e2404be96f2f8332450efb557bbe02b2da04584cc61582165d0ba126d224747

  • Size

    1.8MB

  • MD5

    3ee5b044f23d3519eb2c2002250f0f6d

  • SHA1

    6eb74d56a772f06cab63993482eac074c7c9ffcf

  • SHA256

    8e2404be96f2f8332450efb557bbe02b2da04584cc61582165d0ba126d224747

  • SHA512

    7203b6e95a6b4c7dab79d61687c3b8befb2b6cce840d8ab2376f5c92db212c463ee56679d7457028f28a5456d88ac4c5ab5038e69514447bd0426625c5cb53c6

  • SSDEEP

    49152:oUeRngYd58KXiyMkM02VoHNdfKBdVlNnhhOT0/pI:cbXnR2cbKBdbY7

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2