Extracted

• • Target

    4f793a54d83b2cff95a8578c9618cc374f10ce4fe4f7b4047086d2aa90c8d701

  • Size

    3.1MB

  • MD5

    b97d8f441b33eb8dee5b3fda1beb58f3

  • SHA1

    bab77a9eb76257788cef3e8c9f239a379e1e12f5

  • SHA256

    4f793a54d83b2cff95a8578c9618cc374f10ce4fe4f7b4047086d2aa90c8d701

  • SHA512

    9ef27ab3bc539794dc83ee7d782950fbefd712a81e5cf6cfef6bc6807773041e782d4895e2df05fbcc3bda4856811f74d05cf9138b237b12a0b273d338331e2b

  • SSDEEP

    49152:Y6jcIbfc5rMCerwWaB0RtB6UFuU/tho/Golb:XjLfc5rMNwp0jB6UDo/Gol

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2