General

  • Target

    c4c7d74ca7c0fc1511a82b040a274549.exe

  • Size

    560KB

  • Sample

    210428-r22npdv45n

  • MD5

    c4c7d74ca7c0fc1511a82b040a274549

  • SHA1

    b0b1f42d887a07d4bfae6b1e63900bad822b0908

  • SHA256

    84343112791c187d10af9cea8fac68cf4fc03d72352f1fe2def0bf72f9a9afc7

  • SHA512

    b80b2ed76607715f3660626151b8445d28bc5a87e33cdd91a1750341b3b7f94f2b0dbb13d17246e1fbe6f1a53299c31cfbfc5c9d49c27542c2cd27cac5c3e558

Malware Config

Extracted

Family

amadey

Version

2.16

C2

176.111.174.114/Hnq8vS/index.php

Targets

    • Target

      c4c7d74ca7c0fc1511a82b040a274549.exe

    • Size

      560KB

    • MD5

      c4c7d74ca7c0fc1511a82b040a274549

    • SHA1

      b0b1f42d887a07d4bfae6b1e63900bad822b0908

    • SHA256

      84343112791c187d10af9cea8fac68cf4fc03d72352f1fe2def0bf72f9a9afc7

    • SHA512

      b80b2ed76607715f3660626151b8445d28bc5a87e33cdd91a1750341b3b7f94f2b0dbb13d17246e1fbe6f1a53299c31cfbfc5c9d49c27542c2cd27cac5c3e558

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Tasks