Extracted

• • Target

    63acba8082566bebd81e8d126a64b7414965a05541f101ff5f19a71c1d7c790dN.exe

  • Size

    1.8MB

  • MD5

    5100c24d34ec133f13e5f363a56e5e70

  • SHA1

    9dbe4c1417b87b3f10af11ae23a5df50fed11e43

  • SHA256

    63acba8082566bebd81e8d126a64b7414965a05541f101ff5f19a71c1d7c790d

  • SHA512

    5c1747af8c369fae5fda01d0210704d78ca69cb720c12de14c44c3d9fff63ddf31545f96e75471aa179314dac0ada1680a187ea132c5de2ce2dd3f59103fcbff

  • SSDEEP

    49152:zr52/tRXCMFaszvr1pZiNobb36JwD+t+Px3VqojgC4eQ:zrs/yar5l6Jwa+Pxvj

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoverytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2