Extracted

• • Target

    d603c0b21e33addce97732688511bfeb0f3a6e015ed08f95ac3e403462b1f494

  • Size

    3.0MB

  • MD5

    48224a33e75cc0a5674ba8385f44bcfd

  • SHA1

    8c109aa875ac88f48826ad7190cd1ba4dfd72a9b

  • SHA256

    d603c0b21e33addce97732688511bfeb0f3a6e015ed08f95ac3e403462b1f494

  • SHA512

    64b0e52a762d6c39ed55b864e5b89aeae29dc4f2d55a237999d8c3f13b18f500ba4d5f2e72bd1cdd82a9d5f8733dd1267d640a5b1589d4b1110a1af591a0f51d

  • SSDEEP

    49152:AGfuOZedSvoGG4LgG0PieBqqSUqhZjY+0ScVL:VuOZedSvrG4LgG0zFSDhZjY+0S6

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2