Overview

overview

10

Static

static

356a724f59...de.exe

windows7-x64

10

356a724f59...de.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    356a724f59956fecf066f25a75a295b30bfb98207e0e71c4aaf917fa771251de

  • Size

    104KB

  • Sample

    221129-zx1s7aga76

  • MD5

    8a3c83f840de566847fc41fa77f1c78a

  • SHA1

    9b6088116d7dc9221f564dec0ae70ac4c98e618e

  • SHA256

    05ee4dcd8bb8b29e243f46b0ae86766e346ff6d496ca54f96e3a14bc5aafe331

  • SHA512

    7010361b0d6475c7dc8508c53cdd82c5e9eb926cfd9c7befb2e54f1aa288221f1c591f32b075e2099886cea88adba295a32f8bf5de239c49449ebcb75d62a014

  • SSDEEP

    1536:8etyQUusrqUGc93l57r/j1py6jQkdrU6cXOHNGtEdVeBrr+C4ozjzoHfOCkE:9Ilfnl5bpjQABTSueBXRzqZkE

Score
10/10
amadeysmokeloadervidar1148backdoorcollectiondiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.252/nB8cWack3/index.php

Extracted

Family

vidar

Version

56

Botnet

1148

C2

https://t.me/asifrazatg

https://steamcommunity.com/profiles/76561199439929669
Attributes
  • profile_id

    1148

Targets

    • Target

      356a724f59956fecf066f25a75a295b30bfb98207e0e71c4aaf917fa771251de

    • Size

      146KB

    • MD5

      d3ca1d2e2a38db7c2924aa6ba8f6b7c3

    • SHA1

      efdd5aae4010ad1c9444df486baf03d7a21f91a9

    • SHA256

      356a724f59956fecf066f25a75a295b30bfb98207e0e71c4aaf917fa771251de

    • SHA512

      25a879d5cc4595eac49608c313b25b5b8772d46668ee7a724bec23ea8be6aef5077d956fe775a387c66183b478c09f58f2b24c4203361695a355b0f6a593274d

    • SSDEEP

      3072:kr6/96rsuWn5xcfhm/9fyYLbB2KDhgw2Uk8bbHJp7m:n/Arsu1gfB2Uk87

    Score
    10/10
    smokeloaderbackdoortrojanamadeyvidar1148collectiondiscoverypersistencespywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks