amadey

Resubmissions

19-11-2022 05:24

221119-f356bafb39 10

18-11-2022 14:50

18-11-2022 14:29

18-11-2022 14:22

18-11-2022 14:19

Sharing

Copy URL

Twitter E-mail

General

Target

438ce9fd583ae339b35894e78a472e5351280827cb1037c252c64e186b1229cc
Size

336KB
Sample

221118-rmwgqadd8x
MD5

bdfcfdaea2f15e488af7f465eefb8f76
SHA1

9edede4d3754baa79eb726275f9d10b4bc5a7973
SHA256

438ce9fd583ae339b35894e78a472e5351280827cb1037c252c64e186b1229cc
SHA512

4b18f277fd1a5439b98e3bb61a58ce890bb9125b7317517fc1596c18f1775125296c7cd948147398d6e312279b48b466fed4c3a689d6b485aae53764122dd732
SSDEEP

6144:4pONwCMhMfMVDAFKUv7W148zZ+hp0fBa1nugw:hNuhMWDghVXhp0fQ1jw

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

55.7

Botnet

1827

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

Attributes

profile_id
1827

Extracted

Family

redline

Botnet

chardhesha.xyz:81

jalocliche.xyz:81

Attributes

auth_value
76a31c53cee25a40a7e76cc0e46fa9fa

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Targets

- Target
  
  438ce9fd583ae339b35894e78a472e5351280827cb1037c252c64e186b1229cc
- Size
  
  336KB
- MD5
  
  bdfcfdaea2f15e488af7f465eefb8f76
- SHA1
  
  9edede4d3754baa79eb726275f9d10b4bc5a7973
- SHA256
  
  438ce9fd583ae339b35894e78a472e5351280827cb1037c252c64e186b1229cc
- SHA512
  
  4b18f277fd1a5439b98e3bb61a58ce890bb9125b7317517fc1596c18f1775125296c7cd948147398d6e312279b48b466fed4c3a689d6b485aae53764122dd732
- SSDEEP
  
  6144:4pONwCMhMfMVDAFKUv7W148zZ+hp0fBa1nugw:hNuhMWDghVXhp0fQ1jw
Score

10^/10

amadey redline smokeloader vidar 1827 7m backdoor collection discovery infostealer spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1