Overview

overview

10

Static

static

3cf6f5f638...a7.exe

windows7-x64

10

3cf6f5f638...a7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

  • Size

    184KB

  • Sample

    221123-vdv2dagg34

  • MD5

    82290b65f1806dd8ed6f1ba881cdd96c

  • SHA1

    b03dd1e478ccb293b14b1dd720463ec8ed7bd8fd

  • SHA256

    f9137cac5f422e9849cc58a1435ff3fae044df5fd9517816d7be9440aed70b20

  • SHA512

    f937a534353031ba4b4ceaa78afbfc9eac5b7f6af1a0da4ff9e4f5af965515b796634f99bf38553532a08b5423e10b2cab4b83fb7ad385d4dff58ee3a5e106e2

  • SSDEEP

    3072:iQaYecJc+mkE2nNWEcmqzGJXxggE/426iYnzLW4OcG5dRfHnjt57gEIXR/Fu:iQaYNmkJnNWEc9zoXxm4XzLNOcWPfHnb

Score
10/10
amadeyredlinevidar1829@redlinevip cloud (tg: @fatherofcarders)novrdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

vidar

Version

55.7

Botnet

1829

C2

https://t.me/deadftx

https://www.tiktok.com/@user6068972597711
Attributes
  • profile_id

    1829

Extracted

Family

redline

Botnet

novr

C2

31.41.244.14:4694

Attributes
  • auth_value

    34ddf4eb9326256f20a48cd5f1e9b496

Extracted

Family

redline

C2

45.138.74.121:80

Attributes
  • auth_value

    36460b59063b2ac8535ad35f0861e6d9

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Targets

    • Target

      3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

    • Size

      244KB

    • MD5

      529dd7d863272e41eb4e8319861ac846

    • SHA1

      3efb8f465ebcbfe0ea2b36aa4e0021f1c26a9a38

    • SHA256

      3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

    • SHA512

      89892f6afabbd558fc84787e2f2aee93ddf048997b343150ed9e0fe8c033236d8f0ac2c167685a48fa5dd686ba2f8a1394b02a875b6e3e3b7cc31e611c16d740

    • SSDEEP

      6144:wuTL+CSPjWEbvxm4XHLNOcWPfJnj7zIo3B2:wuT7SP/bvYE51WPfVjwIB2

    Score
    10/10
    amadeyredlinevidar1829@redlinevip cloud (tg: @fatherofcarders)novrdiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks