amadey

General

Target

15710855b6272a6740f8f5e9b1ba3a8d.exe
Size

333KB
Sample

221118-2hmzwsfa7v
MD5

15710855b6272a6740f8f5e9b1ba3a8d
SHA1

8730a4454661c96e8be30d0e376b0636625dd776
SHA256

302087f56db8bf13c20c52aad047a088aac5165ed29ffe83d8360df8ec40be88
SHA512

b625305aae1028edc71a61a36e71533d1a6dd0d3cac6a992f33761d15e90ea4e3f1f9c3d4ca4fa14164d9e461d3d5944f0bccbd4a4103c9c8d0a70ee0622b246
SSDEEP

6144:bkgd34erKuf6vdxO8Z8omQ8h+3oQ9gOU+fzYBb6:3dIe2dvdxP88j9gT6

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

email

C2

89.23.96.39:44465

Attributes

auth_value
f9940860247e8a85fc8c16674c54799c

Extracted

Family

vidar

Version

55.7

Botnet

1827

C2

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

Attributes

profile_id
1827

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

redline

Botnet

8m

C2

chardhesha.xyz:81

jalocliche.xyz:81

Attributes

auth_value
40f61f1011202f643d5fe545c9e6597d

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Targets

- Target
  
  15710855b6272a6740f8f5e9b1ba3a8d.exe
- Size
  
  333KB
- MD5
  
  15710855b6272a6740f8f5e9b1ba3a8d
- SHA1
  
  8730a4454661c96e8be30d0e376b0636625dd776
- SHA256
  
  302087f56db8bf13c20c52aad047a088aac5165ed29ffe83d8360df8ec40be88
- SHA512
  
  b625305aae1028edc71a61a36e71533d1a6dd0d3cac6a992f33761d15e90ea4e3f1f9c3d4ca4fa14164d9e461d3d5944f0bccbd4a4103c9c8d0a70ee0622b246
- SSDEEP
  
  6144:bkgd34erKuf6vdxO8Z8omQ8h+3oQ9gOU+fzYBb6:3dIe2dvdxP88j9gT6
Score

10^/10

smokeloader backdoor trojan amadey redline vidar 1827 8m email kript discovery evasion infostealer spyware stealer themida
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2