Extracted

• • Target

    633bc1c2a76d5ce5fa0a8170ff2cee22950cde19f112c46a741bd27161ad25e4

  • Size

    1.8MB

  • MD5

    a5542c8e3a201ca984a4d52c038d4d41

  • SHA1

    421239aaf0e20d4a9b3afb4422cbc0ab54f79e8e

  • SHA256

    633bc1c2a76d5ce5fa0a8170ff2cee22950cde19f112c46a741bd27161ad25e4

  • SHA512

    49837e99c88fe1f40d3bdec4a04ef5b8e68055c04ad85071f9b7486e7782c1c48d4474a2c04cd22b50c23afd0dc2adf6dd87a1fd7240ec01f1850f2d64165c42

  • SSDEEP

    49152:5Gjcuon9+hudI3gZc4IaIAWyoshSiEiRPHE:gcuon9M3PyoOStiR

  Score

  10^/10

  amadey9c9aa5defense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2