Extracted

• • Target

    ca728add0f4e5a99a094a91c194e54363861cd0fbb0a78afccea86d1788dc750

  • Size

    3.2MB

  • MD5

    5be5e56fed0f8d9279f979ac11a6cb6e

  • SHA1

    1df291b71abb6a1707624e90288f9df5337af9a8

  • SHA256

    ca728add0f4e5a99a094a91c194e54363861cd0fbb0a78afccea86d1788dc750

  • SHA512

    5c3677e0947a659a5561efb4e77181afff3e7d38d57334895d827d5e86261a77938bbd740cca7112b004d35b0d361a1e4f88074b75477fc8a670d9532732e075

  • SSDEEP

    49152:+Ai4NKHXiY4T8L64mZZVQvgJYHX7/zDL+1O7VqAVxBtp6:RiHHy3T8L64aVQ4JcX7/HL+aFVxB

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2