General
-
Target
c28b019c0ad70dea696f4f1580e8aa0b0f145e917d5dbe602f0818a9e7f5d334
-
Size
191KB
-
Sample
221201-23bscsdh4z
-
MD5
e56d2da1d2757348368d7df167a1b05f
-
SHA1
b73d514c61878a4f9a74270a00666129b25bbd0d
-
SHA256
c28b019c0ad70dea696f4f1580e8aa0b0f145e917d5dbe602f0818a9e7f5d334
-
SHA512
98d31b0aecc48a22a6d6d721d23082735c314736089b5c650bf2b7ef6019b9e3389de6ee1a9dfce7ffbf684c90c005be4b67ff43bc79a84e1bcd05cfc7dc253a
-
SSDEEP
3072:3Nb5ZXPW6XihIJ5oKlMs9PDqFjonqO+zRs9E3AZxpR/3qx:3E6XihQzLqYqkvpY
Static task
static1
Malware Config
Extracted
vidar
56
1148
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
-
profile_id
1148
Extracted
amadey
3.50
62.204.41.252/nB8cWack3/index.php
Targets
-
-
Target
c28b019c0ad70dea696f4f1580e8aa0b0f145e917d5dbe602f0818a9e7f5d334
-
Size
191KB
-
MD5
e56d2da1d2757348368d7df167a1b05f
-
SHA1
b73d514c61878a4f9a74270a00666129b25bbd0d
-
SHA256
c28b019c0ad70dea696f4f1580e8aa0b0f145e917d5dbe602f0818a9e7f5d334
-
SHA512
98d31b0aecc48a22a6d6d721d23082735c314736089b5c650bf2b7ef6019b9e3389de6ee1a9dfce7ffbf684c90c005be4b67ff43bc79a84e1bcd05cfc7dc253a
-
SSDEEP
3072:3Nb5ZXPW6XihIJ5oKlMs9PDqFjonqO+zRs9E3AZxpR/3qx:3E6XihQzLqYqkvpY
-
Detect Amadey credential stealer module
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-