Extracted

• • Target

    f0e53dc777f2647a559591e245c535e18de54753691f3eaf2e30f9fc26d327e6

  • Size

    1.8MB

  • MD5

    395c60a5c9be4db408f8df5a6b14dbd1

  • SHA1

    18c90a2e247ed236d91f52f43c83d6e46d87b11f

  • SHA256

    f0e53dc777f2647a559591e245c535e18de54753691f3eaf2e30f9fc26d327e6

  • SHA512

    d272334347b3b4a5e6db5afed28a3025af615cf1e1f7fa76e3f5a5feb2ae20dca3add0aa1f521b1744030516deecf8b0afe89b739ad911750d537680d51d73f4

  • SSDEEP

    49152:to51Yr+n3CGG4a+FzLxVLx+3Ohb2vHNxfOfQTDq:qfxS+10abUxfOfyD

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2