Extracted

• • Target

    6afe20271b9abcfe82a452abe90f00a49e962038864fd6705f41d93b8cbd8333

  • Size

    3.1MB

  • MD5

    4cd6669c658581e157c05433e7fcf235

  • SHA1

    d4d07e78e4d94c8aa812e8719e2cdf17ad16a374

  • SHA256

    6afe20271b9abcfe82a452abe90f00a49e962038864fd6705f41d93b8cbd8333

  • SHA512

    5402de77c91b7768dc8684218a6f781839bf55e25fc4f59ba7c7f13f05b80e2cb503fdb52fe243c4fbfbd27d02034d6194aad48fabd67c41ae186556bb765c9a

  • SSDEEP

    98304:d1CZFTvVxnie/2AZMLmQdN8I1AYrHj8nE:zCZ5wN8o/rg

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2