amadey

Resubmissions

27-10-2021 18:57

211027-xl7fgsgcf3 10

27-10-2021 17:12

211027-vqtzvafge9 10

Sharing

Copy URL

Twitter E-mail

General

Target

bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
Size

341KB
Sample

211027-vqtzvafge9
MD5

bb13f6d819f3b18ebbfe1fb2e0d6c1ed
SHA1

7449eecd5006784372a71b1f9f05f74bbe0cd0c7
SHA256

bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
SHA512

1763e7b5f21ae06af2da655166f46a958f6089e54b649a68cd9540d6623f9e08e51a87b0a856eaadd79824172a8920d997ae1936ca8eee79b85f5f5d7fdf41cd

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xacokuo8.top/

http://hajezey1.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

11111

93.115.20.139:28978

Extracted

Family

vidar

Version

41.6

Botnet

754

https://mas.to/@lilocc

Attributes

profile_id
754

Extracted

Family

raccoon

Botnet

60e59be328fbd2ebac1839ea99411dccb00a6f49

Attributes

url4cnc
http://telegin.top/agrybirdsgamerept
http://ttmirror.top/agrybirdsgamerept
http://teletele.top/agrybirdsgamerept
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

raccoon

Botnet

b6c3d41f039fbc353edce408d14ca491fee838d3

Attributes

url4cnc
http://telegin.top/hiioBlacklight1
http://ttmirror.top/hiioBlacklight1
http://teletele.top/hiioBlacklight1
http://telegalive.top/hiioBlacklight1
http://toptelete.top/hiioBlacklight1
http://telegraf.top/hiioBlacklight1
https://t.me/hiioBlacklight1

rc4.plain

Extracted

Family

amadey

Version

2.70

185.215.113.45/g4MbvE/index.php

Extracted

Family

raccoon

Botnet

04256a88c32735dbae9e9e965ae6cfecb37a8ec5

Attributes

url4cnc
http://telegin.top/kaba4ello
http://ttmirror.top/kaba4ello
http://teletele.top/kaba4ello
http://telegalive.top/kaba4ello
http://toptelete.top/kaba4ello
http://telegraf.top/kaba4ello
https://t.me/kaba4ello

rc4.plain

Extracted

Family

redline

Botnet

z0rm1on

185.215.113.94:15564

Extracted

Family

vidar

Version

41.6

Botnet

706

https://mas.to/@lilocc

Attributes

profile_id
706

Extracted

Family

redline

Botnet

MONEY-2021

2.56.214.190:59628

Targets

- Target
  
  bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
- Size
  
  341KB
- MD5
  
  bb13f6d819f3b18ebbfe1fb2e0d6c1ed
- SHA1
  
  7449eecd5006784372a71b1f9f05f74bbe0cd0c7
- SHA256
  
  bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
- SHA512
  
  1763e7b5f21ae06af2da655166f46a958f6089e54b649a68cd9540d6623f9e08e51a87b0a856eaadd79824172a8920d997ae1936ca8eee79b85f5f5d7fdf41cd
Score

10^/10

bazarloader raccoon redline smokeloader vidar 11111 60e59be328fbd2ebac1839ea99411dccb00a6f49 754 b6c3d41f039fbc353edce408d14ca491fee838d3 backdoor discovery dropper infostealer loader spyware stealer trojan amadey 04256a88c32735dbae9e9e965ae6cfecb37a8ec5 706 money-2021 z0rm1on
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Bazar/Team9 Loader payload
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Bazar Loader

Raccoon

RedLine

RedLine Payload

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Vidar

Bazar/Team9 Loader payload

Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2