amadey

General

Target

8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe
Size

356KB
Sample

231005-v2k63sdb6t
MD5

3ef6d0d9ca0bc4b00d304ee370853a4c
SHA1

a188652de504e6e53a0f1560fcdd315a409d1ad1
SHA256

8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
SHA512

42b7375dca8da5c1cfa65bc0b8aef15155a5fea8ef1199ea0cd874693b3bd98d01d4cb4b38ed0fd7ef549ad8121ceea6c1d6c462d757793e3f21ceea0fcfbc5b
SSDEEP

6144:rUyuwgfYypdScEGyH2VXisEYvo1JwgeDsizp7qdq:rUyuwgfYgSiyWVXzEYvoXwgeDseH

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes

install_dir
1ff8bec27e
install_file
nhdues.exe
strings_key
2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Extracted

Family

vidar

Version

5.9

Botnet

4841d6b1839c4fa7c20ecc420b82b347

C2

https://steamcommunity.com/profiles/76561199557479327

https://t.me/grizmons

Attributes

profile_id_v2
4841d6b1839c4fa7c20ecc420b82b347
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 OPR/104.0.0.0

Targets

- Target
  
  8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe
- Size
  
  356KB
- MD5
  
  3ef6d0d9ca0bc4b00d304ee370853a4c
- SHA1
  
  a188652de504e6e53a0f1560fcdd315a409d1ad1
- SHA256
  
  8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
- SHA512
  
  42b7375dca8da5c1cfa65bc0b8aef15155a5fea8ef1199ea0cd874693b3bd98d01d4cb4b38ed0fd7ef549ad8121ceea6c1d6c462d757793e3f21ceea0fcfbc5b
- SSDEEP
  
  6144:rUyuwgfYypdScEGyH2VXisEYvo1JwgeDsizp7qdq:rUyuwgfYgSiyWVXzEYvoXwgeDseH
Score

10^/10

amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Modifies boot configuration data using bcdedit
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2