amadey

General

Target

8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
Size

338KB
Sample

221119-s721nsdb5w
MD5

a687e1c326c9f03569bbfef53e21c315
SHA1

1993746a547c67807c1118501e1a7ff9261f7c8b
SHA256

8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
SHA512

69c6d3a228ad0df876ca3259a1cbd62893c48409af271d9c4871fc8bdbb8e35ecf0c2d382086b65fc155a86d9ccd6101379a4d02d2f54545a5f746a6558d6a1c
SSDEEP

3072:OJvvbtjLGg1cSgH7P7AGkZ2gdRJvh2vOfPztr+c+PEG7lOmV25lKE1miUO1a1e4Y:mtfGg0b8Gkfvh2v0BohVVPE+O1voXc

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

10m

C2

chardhesha.xyz:81

jalocliche.xyz:81

Attributes

auth_value
52531a1a08be5995cbd063d92845e9fa

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

vidar

Version

55.7

Botnet

1148

C2

https://t.me/deadftx

https://www.tiktok.com/@user6068972597711

Attributes

profile_id
1148

Extracted

Family

redline

Botnet

New2022

C2

185.106.92.111:2510

Attributes

auth_value
ef6fe7baf59e3191ff2f569e3bf0e2c7

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Targets

- Target
  
  8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
- Size
  
  338KB
- MD5
  
  a687e1c326c9f03569bbfef53e21c315
- SHA1
  
  1993746a547c67807c1118501e1a7ff9261f7c8b
- SHA256
  
  8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
- SHA512
  
  69c6d3a228ad0df876ca3259a1cbd62893c48409af271d9c4871fc8bdbb8e35ecf0c2d382086b65fc155a86d9ccd6101379a4d02d2f54545a5f746a6558d6a1c
- SSDEEP
  
  3072:OJvvbtjLGg1cSgH7P7AGkZ2gdRJvh2vOfPztr+c+PEG7lOmV25lKE1miUO1a1e4Y:mtfGg0b8Gkfvh2v0BohVVPE+O1voXc
Score

10^/10

amadey redline smokeloader vidar 10m 1148 kript new2022 backdoor collection discovery infostealer spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1