Extracted

• • Target

    6ed2b9ac5d9a491300d4aa3c3e4fe4ac0d63824a769dd44ae8f6655050690d06

  • Size

    3.1MB

  • MD5

    80cee23e61fb7c2c15caad8b9fb4b2e7

  • SHA1

    1da820c01f2d0edb79018a156a049b0a5d4901f7

  • SHA256

    6ed2b9ac5d9a491300d4aa3c3e4fe4ac0d63824a769dd44ae8f6655050690d06

  • SHA512

    c242db5ca6490ddc068e10ccc12f8255753ab58d5229b826c1f934bca524925f55215cb4fcbd9e96860a8ef224628f8017bd207dae6a3d0b6eda4ddd4a974411

  • SSDEEP

    24576:y08iL5/afe0ft0jU4UFcQxgMGWDEQ5/xl1YTRCX4zhOfrACdZjHAb03WZpI5gZkX:ki9FjUZYAr7rxbXmZAgFagpYEbw/+S

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2