amadey

General

Target

2120D92E96AD3E11B8E35CD6CF867E95C31B64D4D4E43.exe
Size

2.4MB
Sample

210829-yt1ygmyt4x
MD5

4cc2560de1b2a15d3c8b8580154154af
SHA1

ae4ee80e9d7c315b66fc3e4f62d9ae1d25463ccc
SHA256

2120d92e96ad3e11b8e35cd6cf867e95c31b64d4d4e43c661560b6ab281bd306
SHA512

e4ffb1701a54884d053b5f17ce494a6e723ec3005a5fb967bbca021a3a6fe434e608b1a6e0f92e2b35b4f1624794b72147e339fe6ba2eecf384cf01bd469383a

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

hello

C2

80.66.87.33:36976

Extracted

Family

redline

Botnet

Norman

C2

45.14.49.184:25321

Extracted

Family

amadey

Version

2.50

C2

185.215.113.206/k8FppT/index.php

Targets

- Target
  
  2120D92E96AD3E11B8E35CD6CF867E95C31B64D4D4E43.exe
- Size
  
  2.4MB
- MD5
  
  4cc2560de1b2a15d3c8b8580154154af
- SHA1
  
  ae4ee80e9d7c315b66fc3e4f62d9ae1d25463ccc
- SHA256
  
  2120d92e96ad3e11b8e35cd6cf867e95c31b64d4d4e43c661560b6ab281bd306
- SHA512
  
  e4ffb1701a54884d053b5f17ce494a6e723ec3005a5fb967bbca021a3a6fe434e608b1a6e0f92e2b35b4f1624794b72147e339fe6ba2eecf384cf01bd469383a
Score

10^/10

redline aspackv2 evasion infostealer suricata themida trojan amadey smokeloader vidar 933 hello norman backdoor stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
  suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
  suricata
- suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
  suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Nirsoft
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2