Extracted

• • Target

    6db6e15cf98f95f46b5ad9689c67643fe4f2eb188cab7f8f7cb5a26de327d8fd

  • Size

    1.8MB

  • MD5

    bc308e63cd93b6c45a736d0cd76b5df6

  • SHA1

    b0d17bcb736c0023fe781bd77e5f9f913f357999

  • SHA256

    6db6e15cf98f95f46b5ad9689c67643fe4f2eb188cab7f8f7cb5a26de327d8fd

  • SHA512

    65bf8b95d4d6f4899ff3c6561ad2c14177bd4bd9cc42066d135ab968a6b537fe1f30983dbeb4d15d595b25bd5df956c0e6f0d7cf441e7ddec9869e66da330213

  • SSDEEP

    49152:MxQeVbpwzXg4BP1BncA8ncmTUJ0dnT7mk9lk:MhbwXg2P0nU0p6

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2