amadey

General

Target

28e6b17dbc94ab578deb129913c5d938f1b4ef81ba9484009efa13be60c957a5.zip
Size

2.0MB
Sample

231013-r19w9scd82
MD5

195c1612e827fa163db624cdff4d997d
SHA1

e974165005a49a57994cce3437e40ed10e3ef6dc
SHA256

640c40c64d0cac7cf4ba14c9282548b9e7de52d750b7b00f78d5892a310af856
SHA512

d009dcbae02534160293a85b0931e504b03cc48e1593e8dcd9f5bc60e22b7bb53ab7fcf50e061ef18b7e1ea851a7a0584dcd53913fa95782676cc462badbff13
SSDEEP

49152:tpcTl9Ob1gcSbknqn7t4IrlmkYKiclWsXUQU00EL4CPUaZmvG:tCTl9ObWb5n7t7blWs10Y4CPUxG

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes

install_dir
1ff8bec27e
install_file
nhdues.exe
strings_key
2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

vidar

Version

6

Botnet

5a1fadccb27cfce506dba962fc85426d

C2

https://steamcommunity.com/profiles/76561199560322242

https://t.me/cahalgo

Attributes

profile_id_v2
5a1fadccb27cfce506dba962fc85426d
user_agent
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 uacq

Targets

- Target
  
  28e6b17dbc94ab578deb129913c5d938f1b4ef81ba9484009efa13be60c957a5.exe
- Size
  
  5.3MB
- MD5
  
  3e34a4079a28dd2da3595cda4b02b28f
- SHA1
  
  b0b3df4afb3d9714a551f9f1db8877e3bb248770
- SHA256
  
  28e6b17dbc94ab578deb129913c5d938f1b4ef81ba9484009efa13be60c957a5
- SHA512
  
  9e1b0bf3f00dec6774adb49f0126302c0e7726d3f38c044e4bc12505922cc4bb93e55d5a926a4309cd0f407b8c1314cc0f1670eeb1eb4b67c9fa2e1ae03d8df9
- SSDEEP
  
  49152:U7nubEiNrMdIyfN6RCZjKDvsbl6TT3kc40e4VOmCOVMhDkrda1oS3QZX+yav3Qwf:U3EJZalfT3x0byWYwE
Score

10^/10

amadey glupteba vidar 5a1fadccb27cfce506dba962fc85426d discovery dropper evasion loader persistence spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2