amadey

Sharing

General

Target

f988d0bd507f29328e1634e557b8f024dfc8c8e64901754cb0192f264ef1add3
Size

186KB
Sample

211028-nhcx2agbhn
MD5

d3753fba00f39a2d48ccc123ef4ca873
SHA1

e0aa2ecc7eb657ef2770ab9795d90713b7f46ace
SHA256

f988d0bd507f29328e1634e557b8f024dfc8c8e64901754cb0192f264ef1add3
SHA512

9c823fa0d8e9488ea30e602c1f422c5bf0e00541c53bd6319f10f67fe11592f9401cbe32e34375abb04776700c2e157fc83ec7fc08a9542318abefef2b4ac53b

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xacokuo8.top/

http://hajezey1.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

999323

93.115.20.139:28978

Extracted

Family

amadey

Version

2.70

185.215.113.45/g4MbvE/index.php

Extracted

Family

vidar

Version

41.6

Botnet

754

https://mas.to/@lilocc

Attributes

profile_id
754

Extracted

Family

redline

Botnet

SafeInstaller

185.183.32.161:80

Extracted

Family

raccoon

Botnet

60e59be328fbd2ebac1839ea99411dccb00a6f49

Attributes

url4cnc
http://telegin.top/agrybirdsgamerept
http://ttmirror.top/agrybirdsgamerept
http://teletele.top/agrybirdsgamerept
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Targets

- Target
  
  f988d0bd507f29328e1634e557b8f024dfc8c8e64901754cb0192f264ef1add3
- Size
  
  186KB
- MD5
  
  d3753fba00f39a2d48ccc123ef4ca873
- SHA1
  
  e0aa2ecc7eb657ef2770ab9795d90713b7f46ace
- SHA256
  
  f988d0bd507f29328e1634e557b8f024dfc8c8e64901754cb0192f264ef1add3
- SHA512
  
  9c823fa0d8e9488ea30e602c1f422c5bf0e00541c53bd6319f10f67fe11592f9401cbe32e34375abb04776700c2e157fc83ec7fc08a9542318abefef2b4ac53b
Score

10^/10

amadey raccoon redline smokeloader vidar 60e59be328fbd2ebac1839ea99411dccb00a6f49 754 999323 safeinstaller backdoor discovery infostealer persistence spyware stealer suricata trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Amadey CnC Check-In
  suricata: ET MALWARE Amadey CnC Check-In
  suricata
- suricata: ET MALWARE Known Sinkhole Response Header
  suricata: ET MALWARE Known Sinkhole Response Header
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1