amadey

Sharing

General

Target

ffaa1ef0eb9c2a6d046d0be63ac5eb84ff761cabffd9902525f8a77dc9236908
Size

160KB
Sample

211031-qhv5qagac2
MD5

88361ccaea37012144f512e66e61f30a
SHA1

057ac1ee008253d0e7aeb71fbbfda398e2270637
SHA256

ffaa1ef0eb9c2a6d046d0be63ac5eb84ff761cabffd9902525f8a77dc9236908
SHA512

25f07e6aa515ce32de687561371be3fee72a6c5dcbcef15fe8accb101b49de971042f35e795eea71db030367730bebdeec9e03be23c83080e8414a221949893a

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey70.top/

http://wijibui00.top/

rc4.i32

Extracted

Family

amadey

Version

2.81

185.215.113.45/g4MbvE/index.php

Extracted

Family

redline

Botnet

123123123

93.115.20.139:28978

Extracted

Family

redline

Botnet

185.183.32.161:45391

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

raccoon

Botnet

68e2d75238f7c69859792d206401b6bde2b2515c

Attributes

url4cnc
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

vidar

Version

41.6

Botnet

936

https://mas.to/@lilocc

Attributes

profile_id
936

Targets

- Target
  
  ffaa1ef0eb9c2a6d046d0be63ac5eb84ff761cabffd9902525f8a77dc9236908
- Size
  
  160KB
- MD5
  
  88361ccaea37012144f512e66e61f30a
- SHA1
  
  057ac1ee008253d0e7aeb71fbbfda398e2270637
- SHA256
  
  ffaa1ef0eb9c2a6d046d0be63ac5eb84ff761cabffd9902525f8a77dc9236908
- SHA512
  
  25f07e6aa515ce32de687561371be3fee72a6c5dcbcef15fe8accb101b49de971042f35e795eea71db030367730bebdeec9e03be23c83080e8414a221949893a
Score

10^/10

amadey raccoon redline smokeloader vidar 123123123 68e2d75238f7c69859792d206401b6bde2b2515c 8dec62c1db2959619dca43e02fa46ad7bd606400 936 superstar v5 backdoor collection discovery evasion infostealer spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1