Extracted

• • Target

    fb7cfe2c826b753e2fdbc9c4135ed80dd82d1487812df47fe11954c2f13c7da6

  • Size

    3.1MB

  • MD5

    08682494cff682f3a1f9619cf0baff00

  • SHA1

    c3d966f76c7e0e49f27d327af9ee2adf178f452a

  • SHA256

    fb7cfe2c826b753e2fdbc9c4135ed80dd82d1487812df47fe11954c2f13c7da6

  • SHA512

    a98b29860b17f88f2b678688ec067478699c5c9cc8f7da444d4829cd8cc6a6610bc8a40eb4259c7aefcdd4e6c5d8cc07282c477daa15d14c9048e93e0aa35c7e

  • SSDEEP

    49152:nmOoxTm9ezX3uMeMvSLVWEErv3yrvX9p3JPhsMZO:WQeTveMvSLVdEDCbX91F/U

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2