Extracted

• • Target

    a1a29fe86e685727aac67de2fca425140e1c89f9ac8bf205c48370f9b7ba06be

  • Size

    3.1MB

  • MD5

    d4189a13b84a7ee2ae7a1b0a67c8636b

  • SHA1

    0808081e4c72b644e4fbb060c9a4c9d5785196a6

  • SHA256

    a1a29fe86e685727aac67de2fca425140e1c89f9ac8bf205c48370f9b7ba06be

  • SHA512

    dade665f7eabfd31056c21abf162b2d2974bae16fb6eb28306e13dd78f451c595c75e315a563f69436bbeb34f61842eba1a22a09fdc1e6ef1aef73f4fd384609

  • SSDEEP

    98304:lLXbBVAlv8Z4GRQX0BGGsg8Mm2HJWIAj1Vq:dXvhkasFCjanq

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2