Extracted

• • Target

    2bae6e7172e1b486b8ab547debf19f24191c3e857ed1cbe58a00d89e6673b3a8

  • Size

    3.1MB

  • MD5

    3f7de628654c8a9aa8075296ad12ad5b

  • SHA1

    2c5f34c80d66676afd59c556ca395c08b5a77d25

  • SHA256

    2bae6e7172e1b486b8ab547debf19f24191c3e857ed1cbe58a00d89e6673b3a8

  • SHA512

    2ab5552d39fa85e7676bef1d8a7a775640d9a78e8e4e8b047f0cecb126ecbd5efa67de3c5b439b16581f47a4710a0a690ca2e8278f2bb89e9efa8a7b5b317d4c

  • SSDEEP

    49152:ccL6z/BvnlITXIlLigNzmPPTopm+Zn0HUH9vpW:fL4QT4lLigNzaPTopC0vpW

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2