Extracted

• • Target

    1e7a7571f046998ca8c0cada49e3b79e14d37581d9d36ccc8ba1471ed814354f

  • Size

    3.1MB

  • MD5

    96396f2eb9e566660026a3143f6ecbf7

  • SHA1

    e585546fed3204681a8b13b1d4dc8cd968ff0a96

  • SHA256

    1e7a7571f046998ca8c0cada49e3b79e14d37581d9d36ccc8ba1471ed814354f

  • SHA512

    d885b61f49c30e51ea842fd701dec07117012858ddb9b43900ee5d02b4e873d405ba2cb667b28d3462148fa113efc7a177aab7bc3191cfe05389543322c235c0

  • SSDEEP

    49152:NiGlf3nJcM/JIDfXy1YoXIYN0S/HOsnl63KA+0pVOP:llf3JcSJ4fy1YkIG0S/HTkP7O

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2