Extracted

• • Target

    53a0103e1797ebe3af680e0bf7a2e3f3daa619ef4b573517aac23f4157cb4518

  • Size

    3.0MB

  • MD5

    698b494f0464727fb30511a84323eb85

  • SHA1

    37af63d61a628779571ce220670d5454b7e40a37

  • SHA256

    53a0103e1797ebe3af680e0bf7a2e3f3daa619ef4b573517aac23f4157cb4518

  • SHA512

    59c0d73fba15dce22ad88e0bc661dd19fc54c28e6539d49a713cd99998513279834f9daadaff6beb4c6334c3a7ffa8e4a1ffcd0dacb2f9ec5d9a0da3cfea78bd

  • SSDEEP

    49152:4eQ1bnka4ciYiqOmIKMCqM7M91YCqBj4eY49qjISsxf:4eQ1bnka4OT5IKMe7ciC/e3zSs

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2