amadey

General

Target

11dcd8e017b0e067e922cfb6507a8dde.exe
Size

421KB
Sample

240417-e3netsfc4s
MD5

11dcd8e017b0e067e922cfb6507a8dde
SHA1

80c4e499c9666401a0f9099482c7fa9debe006d5
SHA256

2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA512

52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
SSDEEP

6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199673019888

https://t.me/irfail

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

94.228.162.82:6606

94.228.162.82:7707

94.228.162.82:8808

Mutex

YBc01FE5mcOd

Attributes

delay
3
install
true
install_file
appBroker.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  11dcd8e017b0e067e922cfb6507a8dde.exe
- Size
  
  421KB
- MD5
  
  11dcd8e017b0e067e922cfb6507a8dde
- SHA1
  
  80c4e499c9666401a0f9099482c7fa9debe006d5
- SHA256
  
  2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
- SHA512
  
  52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
- SSDEEP
  
  6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx
Score

10^/10

amadey asyncrat vidar zgrat default persistence rat spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Vidar Stealer
  stealer
- Detect ZGRat V1
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Async RAT payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2