Extracted

• • Target

    04094de12eaab6da01090b9c9063e36f14ba0a78bc24efa680f0413f9bfffa07

  • Size

    3.1MB

  • MD5

    31daf4eccf105d09fc7ef0fa1189f05d

  • SHA1

    34931a3e559ba9e989b0015f582d4c93e101c31e

  • SHA256

    04094de12eaab6da01090b9c9063e36f14ba0a78bc24efa680f0413f9bfffa07

  • SHA512

    432191eb37d5ef8e16854038d63fc0ea5d819a6335d08f53db6db818055777a427cf0e08b1f3a17f123cd6657460725c25101b3e72718967c360857d75d3551c

  • SSDEEP

    98304:TX2LYDTAHxSnzUEviVcgB9jpUbksdu0PJYF:8Hk6l6u0B

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2