Overview

overview

10

Static

static

5ac3074c8d...e9.exe

windows7_x64

10

5ac3074c8d...e9.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5ac3074c8d161f87f271a27ead8165e9.exe

  • Size

    374KB

  • Sample

    220706-e5dcmsghaj

  • MD5

    5ac3074c8d161f87f271a27ead8165e9

  • SHA1

    79e1a2516339a0faeb8d22f770f63c6976d5f1d9

  • SHA256

    9833edafc450a7d9fd1d66bb91e1e20b2d202569a5272b036d29a1d74570b76c

  • SHA512

    2c317a75efaae5f369bcd4ce40b9736d7322b25e6c6c710a4a957afc16c097dcb39a41d5efb3e2331e9625f40a7d5dfce6d3e5786024b7cac9c4ec406d40bc73

Score
10/10
amadeyvidar1448collectiondiscoveryspywarestealersuricatatrojan

Malware Config

Extracted

Family

vidar

Version

53.1

Botnet

1448

C2

https://t.me/tg_dailyrunnings

https://mastodon.online/@olegf9844g
Attributes
  • profile_id

    1448

Extracted

Family

amadey

Version

3.21

C2

185.215.113.15/Lkb2dxj3/index.php

Targets

    • Target

      5ac3074c8d161f87f271a27ead8165e9.exe

    • Size

      374KB

    • MD5

      5ac3074c8d161f87f271a27ead8165e9

    • SHA1

      79e1a2516339a0faeb8d22f770f63c6976d5f1d9

    • SHA256

      9833edafc450a7d9fd1d66bb91e1e20b2d202569a5272b036d29a1d74570b76c

    • SHA512

      2c317a75efaae5f369bcd4ce40b9736d7322b25e6c6c710a4a957afc16c097dcb39a41d5efb3e2331e9625f40a7d5dfce6d3e5786024b7cac9c4ec406d40bc73

    Score
    10/10
    vidar1448stealeramadeycollectiondiscoveryspywaresuricatatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Amadey CnC Check-In

      suricata: ET MALWARE Amadey CnC Check-In

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

      suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

      suricata

    • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata

    • Vidar Stealer

      stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks