General
-
Target
https://workupload.com/file/SaZEYKEFmA3
-
Sample
230713-mkbx3shc4x
Malware Config
Extracted
vidar
4.7
https://t.me/prescilliouns
https://t.me/prescilliouns
https://t.me/eagl3z
https://steamcommunity.com/profiles/76561199159550234
-
profile_id_v2
https://t.me/prescilliouns
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1788.0 uacq
Extracted
amadey
3.85
45.9.74.164/b7djSDcPcZ/index.php
Extracted
systembc
5.42.65.67:4298
localhost.exchange:4298
Targets
-
-
Target
https://workupload.com/file/SaZEYKEFmA3
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-