General

  • Target

    5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

  • Size

    391KB

  • Sample

    240410-ngpv7sgh9t

  • MD5

    19d257c7f63ff3dbf8b5ae26f2c1b45a

  • SHA1

    dc84514dd1471efa7db9e34c43c6a60827dadad0

  • SHA256

    5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

  • SHA512

    7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb

  • SSDEEP

    6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj

Malware Config

Extracted

Family

amadey

Version

3.21

C2

http://185.215.113.204

Attributes
  • install_dir

    580e612ff0

  • install_file

    bguuwe.exe

  • strings_key

    11ae05ddf878fd8a904552f1e0be6ecb

  • url_paths

    /Lkb2dxj3/index.php

rc4.plain

Extracted

Family

vidar

Version

55.7

Botnet

1827

C2

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

http://116.202.2.1:80

Attributes
  • profile_id

    1827

Targets

    • Target

      5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

    • Size

      391KB

    • MD5

      19d257c7f63ff3dbf8b5ae26f2c1b45a

    • SHA1

      dc84514dd1471efa7db9e34c43c6a60827dadad0

    • SHA256

      5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

    • SHA512

      7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb

    • SSDEEP

      6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Tasks