Extracted

• • Target

    affc05239e1154908195164b6cc0391cbc28810bbfebcd05dc7b4d4a73d835f3

  • Size

    3.1MB

  • MD5

    0a71e37d2fb823a5ed8b8ec65966cfaf

  • SHA1

    d2e8bdebd1b2ed7eb18771f7173a474468ef9567

  • SHA256

    affc05239e1154908195164b6cc0391cbc28810bbfebcd05dc7b4d4a73d835f3

  • SHA512

    4a80b94a8d5472ae14fabe735e26d183311e50b54a8870621f0e31cef37927ac25e0aecb88b58f3b4cffe29279fe5336961ca14d4229a4778cffc519c03a1fdf

  • SSDEEP

    98304:HpKjlyOkIkyjWsjbWiOKIAwyAAimgVJ2:KIAwyAAiRVJ2

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2