amadey

Sharing

General

Target

523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe
Size

16.5MB
Sample

220117-x5jhrscdgm
MD5

5dd3e68bd9215565b7321224c3594ee7
SHA1

2db6bb30e9ac1e94cc50a42a2b9a6dfdd79a3c56
SHA256

523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
SHA512

1382558c7d20afe3906e949cb7c5fb70fe3948d3722feb09590450fb6188773642324d4d037c4ec6bf20843a309b1d065fd03de4dc097965eba4390b2dff7b3f

Score

10^/10

Malware Config

Extracted

Family

socelars

http://www.wgqpw.com/

Extracted

Family

redline

Botnet

@Tui

185.215.113.44:23759

Extracted

Family

amadey

Version

2.85

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family

redline

Botnet

media5test2

65.108.69.168:16278

Extracted

Family

redline

Botnet

user1

23.88.118.113:23817

Targets

- Target
  
  523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe
- Size
  
  16.5MB
- MD5
  
  5dd3e68bd9215565b7321224c3594ee7
- SHA1
  
  2db6bb30e9ac1e94cc50a42a2b9a6dfdd79a3c56
- SHA256
  
  523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
- SHA512
  
  1382558c7d20afe3906e949cb7c5fb70fe3948d3722feb09590450fb6188773642324d4d037c4ec6bf20843a309b1d065fd03de4dc097965eba4390b2dff7b3f
Score

10^/10

amadey loaderbot redline socelars @tui aspackv2 infostealer loader miner stealer suricata trojan vidar media5test2 user1
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- LoaderBot
  LoaderBot is a loader written in .NET downloading and executing miners.
  loader miner loaderbot
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Amadey CnC Check-In
  suricata: ET MALWARE Amadey CnC Check-In
  suricata
- suricata: ET MALWARE CerberTear Ransomware CnC Checkin
  suricata: ET MALWARE CerberTear Ransomware CnC Checkin
  suricata
- suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

LoaderBot

Process spawned unexpected child process

RedLine

RedLine Payload

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE CerberTear Ransomware CnC Checkin

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

NirSoft WebBrowserPassView

Nirsoft

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2