Extracted

• • Target

    a01f2460fec1868757aa9194b5043b4dd9992de0f6b932137f36506bd92d9d86

  • Size

    1.8MB

  • MD5

    a0c803a3665f0cc98a7d3892a1bfb37e

  • SHA1

    37fec4eee2072698a01cafc3d3bbef8f5a2db372

  • SHA256

    a01f2460fec1868757aa9194b5043b4dd9992de0f6b932137f36506bd92d9d86

  • SHA512

    d163c0e30677257e0bfd8e32a13116f34d12c941a6042376b38b4e557951ed7be599b4869059a34c2e7af239898115901269a24f6fcd5b0e4b91d18368ae6dfb

  • SSDEEP

    49152:gTjpVF0g/9mo3RHX7B6WvUJFECeCdSxa/Jn0:aVypo3RHmyC

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2