amadey

General

Target

03fecc5ea0f464b05f9230657f1a1370876096f81a91764d9c9478591f768098
Size

209KB
Sample

211026-b3145shfcl
MD5

b1c481480053cfdf8df797f2a7c41ae5
SHA1

573195e9d3e6a4f1c78e469172c4d10cd8d9d509
SHA256

03fecc5ea0f464b05f9230657f1a1370876096f81a91764d9c9478591f768098
SHA512

7862933593a385ad212d66832dbf0a6f65b2dd531550c3a1c6968a46dbc53bbc9724696f195da884e275246c2707089113ed27275159d0ced45a2d103f8626e1

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://gejajoo7.top/

http://sysaheu9.top/

rc4.i32

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

amadey

Version

2.70

C2

185.215.113.45/g4MbvE/index.php

Extracted

Family

vidar

Version

41.6

Botnet

754

C2

https://mas.to/@lilocc

Attributes

profile_id
754

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Targets

- Target
  
  03fecc5ea0f464b05f9230657f1a1370876096f81a91764d9c9478591f768098
- Size
  
  209KB
- MD5
  
  b1c481480053cfdf8df797f2a7c41ae5
- SHA1
  
  573195e9d3e6a4f1c78e469172c4d10cd8d9d509
- SHA256
  
  03fecc5ea0f464b05f9230657f1a1370876096f81a91764d9c9478591f768098
- SHA512
  
  7862933593a385ad212d66832dbf0a6f65b2dd531550c3a1c6968a46dbc53bbc9724696f195da884e275246c2707089113ed27275159d0ced45a2d103f8626e1
Score

10^/10

amadey raccoon redline smokeloader vidar 754 7ebf9b416b72a203df65383eec899dc689d2c3d7 8dec62c1db2959619dca43e02fa46ad7bd606400 backdoor discovery infostealer spyware stealer suricata trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Amadey CnC Check-In
  suricata: ET MALWARE Amadey CnC Check-In
  suricata
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1