amadey

General

Target

c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32
Size

1.7MB
Sample

231020-bth7zadb91
MD5

e21f3665ec7bddb34730e1712b53957f
SHA1

a98b88113f41bcc6e7e10bfa94f0b71021cd45f9
SHA256

c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32
SHA512

b2525f0cbd035b6e801cbcfe6fc70b568a73ee152706c42f61147d8feed309315ed6bbcbfbba2dde0bdd55b29d5ea232db3d989b9c3501d757c9ab71c401db13
SSDEEP

24576:B3qKnZ3Pd5e1ToumYnOzR+rjMFvB4s6xl87AKwD:NnZ3lElZARrEXAAKG

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes

install_dir
1ff8bec27e
install_file
nhdues.exe
strings_key
2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

vidar

Version

6.1

Botnet

55d1d90f582be35927dbf245a6a59f6e

C2

https://steamcommunity.com/profiles/76561199563297648

https://t.me/twowheelfun

Attributes

profile_id_v2
55d1d90f582be35927dbf245a6a59f6e
user_agent
Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/605.1.15

Extracted

Family

purecrypter

C2

http://104.194.128.170/svp/Hfxbflp.mp3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32
- Size
  
  1.7MB
- MD5
  
  e21f3665ec7bddb34730e1712b53957f
- SHA1
  
  a98b88113f41bcc6e7e10bfa94f0b71021cd45f9
- SHA256
  
  c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32
- SHA512
  
  b2525f0cbd035b6e801cbcfe6fc70b568a73ee152706c42f61147d8feed309315ed6bbcbfbba2dde0bdd55b29d5ea232db3d989b9c3501d757c9ab71c401db13
- SSDEEP
  
  24576:B3qKnZ3Pd5e1ToumYnOzR+rjMFvB4s6xl87AKwD:NnZ3lElZARrEXAAKG
Score

10^/10

amadey glupteba privateloader purecrypter smokeloader vidar 55d1d90f582be35927dbf245a6a59f6e pub1 backdoor downloader dropper evasion loader stealer trojan upx vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Drops startup file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1