amadey

Sharing

General

Target

c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd
Size

559KB
Sample

230803-qw4n1sef2y
MD5

0edd091e2448140892af233184924bf5
SHA1

754987a26b17659e0d06f55642e54e16a09ff7a9
SHA256

c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd
SHA512

5bf78dbd3f55760330ff7ba4bfaa0666348de6666262e91740b5690782dfe7357edf9f8ca8ed37547c920c59cc015454a5e6d2446b82c48c57da4a4665a14dfb
SSDEEP

12288:qMrMy905SCgJEG7zgyj8sc0+B2ETxADgU:qyz+MgsDcxB7TiDgU

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.87

193.233.255.9/nasa/index.php

Extracted

Family

redline

Botnet

maxik

77.91.124.156:19071

Attributes

auth_value
a7714e1bc167c67e3fc8f9e368352269

Extracted

Family

redline

Botnet

1112224312

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

@oleh_ps

176.123.9.85:16482

Attributes

auth_value
24848220823af15a5e52db502394fad3

Extracted

Family

vidar

Version

Botnet

c2438bb36e46960f59a09a0a267eeb74

https://t.me/versozaline

https://steamcommunity.com/profiles/76561199532186526

Attributes

profile_id_v2
c2438bb36e46960f59a09a0a267eeb74
user_agent
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0

Extracted

Family

smokeloader

Version

2022

https://anydesk-my.com/faq/

http://anydesk-my.com/faq/

rc4.i32

Targets

- Target
  
  c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd
- Size
  
  559KB
- MD5
  
  0edd091e2448140892af233184924bf5
- SHA1
  
  754987a26b17659e0d06f55642e54e16a09ff7a9
- SHA256
  
  c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd
- SHA512
  
  5bf78dbd3f55760330ff7ba4bfaa0666348de6666262e91740b5690782dfe7357edf9f8ca8ed37547c920c59cc015454a5e6d2446b82c48c57da4a4665a14dfb
- SSDEEP
  
  12288:qMrMy905SCgJEG7zgyj8sc0+B2ETxADgU:qyz+MgsDcxB7TiDgU
Score

10^/10

amadey healer redline smokeloader vidar 1112224312 @oleh_ps c2438bb36e46960f59a09a0a267eeb74 maxik backdoor dropper evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1