Extracted

• • Target

    69c2785558326b01a5150e07c43129e4045ae2df449b7625b75aea94b8206c63.exe

  • Size

    1.8MB

  • MD5

    36465d1f2d56ae0a5ec876cf59bc7b19

  • SHA1

    30eb8b914f3371d5432b79296112c26d538c455e

  • SHA256

    69c2785558326b01a5150e07c43129e4045ae2df449b7625b75aea94b8206c63

  • SHA512

    af0344bd9a088040167b5e231bf3d894f40a737a7b2630dd2321332cac79331619d7b7eedb3063d26f96380ab39ffea16ec06bb172445e4d108792ca0a7bcb15

  • SSDEEP

    49152:NefAwjRU8LR2xxa9crLXTEFr61tkbRXGO24rtm889ojXesUh:NefBt2xx8cr8lYKR1/rtJ8TX

  Score

  10^/10

  amadeyfed3aadefense_evasiondiscoveryspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2