Extracted

• • Target

    dc5eccc847f2d65dbad1734027c296b1d5acabe3a3598e098eb7aef4ad9fc432

  • Size

    3.1MB

  • MD5

    13cdee1234a9af595ba4b48501a2750e

  • SHA1

    05974e2a21d05d39bc2f263821ab9dc40d357202

  • SHA256

    dc5eccc847f2d65dbad1734027c296b1d5acabe3a3598e098eb7aef4ad9fc432

  • SHA512

    86e7d440ad28d1bac4e5dbe810b85b90d2b107d5fd51fea9e4b21b189c374f6484f2a6b4257bb795ed7d7bc193a0000110dd7239b1fb0acd0fbe4c0bee0fa039

  • SSDEEP

    49152:FSvqodIaTj3qVhecuAPVJmplY1xr2QIZI/SAM1q7k:MqodIej3qVhecuAPVJLaZC

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2