Overview

overview

10

Static

static

3

5f344c8009...af.exe

windows7-x64

10

5f344c8009...af.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

  • Size

    391KB

  • Sample

    240410-ngpv7sgh9t

  • MD5

    19d257c7f63ff3dbf8b5ae26f2c1b45a

  • SHA1

    dc84514dd1471efa7db9e34c43c6a60827dadad0

  • SHA256

    5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

  • SHA512

    7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb

  • SSDEEP

    6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj

Score
10/10
amadeyvidar1827collectioncredmodulespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.21

C2

http://185.215.113.204

Attributes
  • install_dir

    580e612ff0

  • install_file

    bguuwe.exe

  • strings_key

    11ae05ddf878fd8a904552f1e0be6ecb

  • url_paths

    /Lkb2dxj3/index.php

rc4.plain

Extracted

Family

vidar

Version

55.7

Botnet

1827

C2

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

http://116.202.2.1:80
Attributes
  • profile_id

    1827

Targets

    • Target

      5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

    • Size

      391KB

    • MD5

      19d257c7f63ff3dbf8b5ae26f2c1b45a

    • SHA1

      dc84514dd1471efa7db9e34c43c6a60827dadad0

    • SHA256

      5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

    • SHA512

      7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb

    • SSDEEP

      6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj

    Score
    10/10
    amadeycollectioncredmodulespywarestealertrojanvidar1827

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

      credmodule

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks