Extracted

• • Target

    a850ec315aab40ced362e9077f035134211ddd78cffd2f4ab06bef6ba3465662

  • Size

    3.0MB

  • MD5

    f05507f9fa044f20e803ec5226359166

  • SHA1

    9559a6239ebb49669505fa85ce77e0335c3c8be5

  • SHA256

    a850ec315aab40ced362e9077f035134211ddd78cffd2f4ab06bef6ba3465662

  • SHA512

    3e946a863a003c7920e04ae7e01e53d17d5fe63882914cfbdc6c26419f4eeafb05d7d25938d2e9bd257a2748c6d61533f37d15086ecb927c1edac3a51e7f935f

  • SSDEEP

    49152:pryIplBr+FPARO2My5TU92O9kzofdZFyl9/d3sSIV:pVBr+FPAk2M2TC2O9kzS7Fyl9/+

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2