amadey

General

Target

f2bda26791d421abe90af5077a8f6bf9dbc0577607df37980e01230c98b5e285
Size

209KB
Sample

211026-ea3n2sggg2
MD5

858531422892e434fa9f94268705262f
SHA1

c169de55a64c2e291d40042a6bdba6dab6404c6b
SHA256

f2bda26791d421abe90af5077a8f6bf9dbc0577607df37980e01230c98b5e285
SHA512

1f33440d3d4ea8c9a5c8946e2bde5c2bd97155b7ffdd5b9429d8395ded9d55300b98f4e4a34f3f7090758247c57508f738608241965b8ef08eb6bb32d79bcac3

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://gejajoo7.top/

http://sysaheu9.top/

rc4.i32

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

amadey

Version

2.70

C2

185.215.113.45/g4MbvE/index.php

Extracted

Family

vidar

Version

41.6

Botnet

754

C2

https://mas.to/@lilocc

Attributes

profile_id
754

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Targets

- Target
  
  f2bda26791d421abe90af5077a8f6bf9dbc0577607df37980e01230c98b5e285
- Size
  
  209KB
- MD5
  
  858531422892e434fa9f94268705262f
- SHA1
  
  c169de55a64c2e291d40042a6bdba6dab6404c6b
- SHA256
  
  f2bda26791d421abe90af5077a8f6bf9dbc0577607df37980e01230c98b5e285
- SHA512
  
  1f33440d3d4ea8c9a5c8946e2bde5c2bd97155b7ffdd5b9429d8395ded9d55300b98f4e4a34f3f7090758247c57508f738608241965b8ef08eb6bb32d79bcac3
Score

10^/10

amadey raccoon redline smokeloader vidar 754 7ebf9b416b72a203df65383eec899dc689d2c3d7 8dec62c1db2959619dca43e02fa46ad7bd606400 backdoor discovery infostealer spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1