Overview

overview

10

Static

static

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New_Main_pass1234_v23_gac.rar

  • Size

    5.0MB

  • Sample

    221128-v16fmagb9v

  • MD5

    143d3cebea06e494dac28857dea4fa2a

  • SHA1

    4c79f7f6fda0121ded81aa781c7a8dd01b90e070

  • SHA256

    a3498b747c3f247311107504bfbf40f6df4823b3b387aeba6b23053a435d2757

  • SHA512

    b718d122074e28b5de322929898b6884c0299c2b5b721894d065a73ce2f7e08af5304a3ccdd7c064153746c3a66e38017e87231479cd3b09ec114a90b6ef2d2e

  • SSDEEP

    98304:eQeK2XihH8lv/YqtqP2Hr/LtHgF6fVnjD96SjNcH39E0KIgAFOmnMVG:eQL5gYqtqP2Hr/LtHgF6Nj57J+3urmM0

Score
10/10
amadeyvidar1707collectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

55.9

Botnet

1707

C2

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531
Attributes
  • profile_id

    1707

Extracted

Family

amadey

Version

3.50

C2

77.73.134.66/o7Vsjd3a2f/index.php

Targets

    • Target

      Setup.exe

    • Size

      401.8MB

    • MD5

      e3fdd26f425aa1c0301ae798b98ed228

    • SHA1

      6bd049d2e8cc0c9941b1dcd77220e2ab52f3d5d0

    • SHA256

      1d0e79992d80178e475124f2c13fb462979e5322f73e61a35d428d11b1d17796

    • SHA512

      265c6f714aa2a9393ae260edfa45e4bdfadca6995c462f2ef935073fcf14466613a64e7bfda8f2f7df0406f1e585bf404f3b63b122c54207b367ee3ecf728e84

    • SSDEEP

      98304:cEjqxnA7VSTpjBXBYSeGs1TjtLbLvYp1J01ZQ:1+xn4STFBxYJ9Vi01C

    Score
    10/10
    vidar1707discoveryspywarestealeramadeycollectiontrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks