amadey

Sharing

Copy URL

Twitter E-mail

General

Target

files.zip
Size

8.7MB
Sample

240618-xn8fkavcja
MD5

13c3d528da9daeb96668f0f98cd68969
SHA1

0d943aa66f33d36f7123fb2a4252334810936238
SHA256

b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e
SHA512

235d3324c2dfa4930700ec03e51eba2fff7813c1dbded1d9e8a15c5a30a83cc4f0570d315c70f6e022fc2ee3c4d7df4f472e6f3206103b7116384b25fd5779c9
SSDEEP

196608:x6FeJSpuuac04Wp4K1ZcRME8TKFYv7M3QgF4hsdoM+LaBe//O:x6FeJSrx04Wp4aRdOCvC4moMVYu

Score

10^/10

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

http://proresupdate.com

Attributes

install_dir
4bbb72a446
install_file
Hkbsse.exe
strings_key
1ebbd218121948a356341fff55521237
url_paths
/h9fmdW5/index.php

rc4.plain

Targets

- Target
  
  files/Setup.exe
- Size
  
  202KB
- MD5
  
  64179e64675e822559cac6652298bdfc
- SHA1
  
  cceed3b2441146762512918af7bf7f89fb055583
- SHA256
  
  c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
- SHA512
  
  ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
- SSDEEP
  
  3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw
Score

10^/10

stealc vidar stealer amadey ffb1b9 discovery spyware trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Vidar Stealer
  stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  files/WCLDll.dll
- Size
  
  590KB
- MD5
  
  9005812bebfcc98db95def5b1c9b96f0
- SHA1
  
  d85f085c59fe8cca75352399ebc8510e2799bf68
- SHA256
  
  8acf6eea851ccd43a33eee9840794b9944eed61e5be0a7c403b79d3baa48940c
- SHA512
  
  c25c4eaef2d40d5294fcd2b15f3065cb3c6cad19cc5c32da4a81b20d99023dbfcccfa5fbc2d79f45892f7d858c04d956f1734d0359054fae9e609a5d604ab0b1
- SSDEEP
  
  12288:i+Se970XqzxUmUkVakh1d4wJjfXB7w86ywKUc6A9iSOJ7zP8cl7ksEjwdA9iOaQ:ce97qqzxXUkckh1d4wJjfB8vywKUc6A7
Score

1^/10
behavioral3 behavioral4
- Target
  
  files/msvcp140.dll
- Size
  
  427KB
- MD5
  
  71a0aa2d05e9174cefd568347bd9c70f
- SHA1
  
  cb9247a0fa59e47f72df7d1752424b33a903bbb2
- SHA256
  
  fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
- SHA512
  
  6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a
- SSDEEP
  
  12288:bBsEzAVPIODrCdVgI7bwv674dOzhUgiW6QR7t5s03Ooc8dHkC2esy2n:9s8AVwOU7bwTdt03Ooc8dHkC2en2n
Score

3^/10
behavioral5 behavioral6
- Target
  
  files/ptMgr.dll
- Size
  
  2.5MB
- MD5
  
  01069f45230cd2036d138295d1019ae5
- SHA1
  
  6333e77ea19d69779d6e5445eb51c8e29c3af5c3
- SHA256
  
  7ada08db595f00c1bafbabe168a964466fbb691caf4ac70fb63e8c4b2b2a9f85
- SHA512
  
  0b3fa8c71b0dd117aadc64fd3dbe00639812861c3449345c45fd3037b5196259351532b3e2dadecea1318448be69794a1772d11df2fc8fbfaa8af52be3926827
- SSDEEP
  
  49152:wvSyYrklCGEFFKYy3Hlll43MkyoYh0iXGu2B1BItuEjlIeUZhQZZmRvCP:dEkGlDlH1VZ0uGu2lIr
Score

3^/10
behavioral7 behavioral8
- Target
  
  files/ptusredt.dll
- Size
  
  165KB
- MD5
  
  3c3e960d59cb413791fee1e944b6df72
- SHA1
  
  4aa6c90d81692642ca8266bf0d8e249ff3e3ad54
- SHA256
  
  88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67
- SHA512
  
  85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac
- SSDEEP
  
  3072:Ze0HJrRJW9+tjxQGsfzeV0YuNmu5uWj5ONq/1epLcv60H9+v:8SrRJGeNsry0hmuqRoy0H9u
Score

1^/10
behavioral10 behavioral9
- Target
  
  files/vcruntime140.dll
- Size
  
  81KB
- MD5
  
  16b26bc43943531d7d7e379632ed4e63
- SHA1
  
  565287de39649e59e653a3612478c2186096d70a
- SHA256
  
  346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
- SHA512
  
  b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc
- SSDEEP
  
  1536:BDpX0WKXQn6s8/oB6xMSKgS9WnESDPIYMWC/q6mYIeTsu03/huecbFWzZoi:BF0ZQnm/oBab8y6mfe0vhuecbFWzZoi
Score

3^/10
behavioral11 behavioral12
- Target
  
  files/vcruntime140_app.dll
- Size
  
  21KB
- MD5
  
  c0f29bd3b0eb4d8795d609a0c52e0926
- SHA1
  
  2f1958696d66edaf38079e370dcc2b41c7474122
- SHA256
  
  813a447192c4fa7d25d0716b769399546f8bf6b31269dd8ad47f9812008d79e6
- SHA512
  
  02bc56ad129a7d6382ba8d68b68a52fa70ace9bce68aae56d901bc60451982e358805e950ab49ae3d0c052c2ac6d44a6f5ab3679cd4ce2fbb205e4a8c7d7b670
- SSDEEP
  
  384:K0g/dJiHlDoeuczbaj7wTfzvg55dHRN7ooiFWSlGs4kz:w/d8lDoeuczbaj7Cg9jHPs
Score

3^/10
behavioral13 behavioral14
- Target
  
  files/wbxtrace.dll
- Size
  
  103KB
- MD5
  
  c2b06a78b6c07a1371b6aed1dbf4fc37
- SHA1
  
  b8847693e7cd3637b1b400e71430cdf629de2e64
- SHA256
  
  9e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04
- SHA512
  
  219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411
- SSDEEP
  
  1536:HAIwJ6LSNBZVrzq8HpWt6/wwmSM4QnToIf2TuU/huhAmJ8dDUfH:HnSNBHUt6/wSM4kTBf2iU/huhFJwM
Score

1^/10
behavioral15 behavioral16
- Target
  
  files/x86/HDHelper_[0MB]_[1].exe
- Size
  
  566KB
- MD5
  
  8a179892518a2c4e8a63afa91de7bdce
- SHA1
  
  e9b095c966ccc4c4900b4cf741c067d2a0f43cd4
- SHA256
  
  72ece91f65a461c5023695bf5f31b5b6b5bd629dba8407524e8144f6d1e160e8
- SHA512
  
  91abb220c222a89a2df27818b8385b4015128a35b7d4c43d0f497717a4e5a55dfb9dc1da3f47a49a2400ea8300d41d52277331a6c7c3437ac5cb867a4027b220
- SSDEEP
  
  12288:voJoMf8uSKkd/kAseRy/M96oQD08WjWYatid4TwzSxK/G8kHcL:CEKkd/wXMwoQJW6Ya5TwzUKeH8L
Score

1^/10
behavioral17 behavioral18
- Target
  
  files/x86/NvStereoUtilityOGL_[1MB]_[1].exe
- Size
  
  1.1MB
- MD5
  
  017cd77d01314e72a973ff0c7882453d
- SHA1
  
  288238159cf18418149f5cd3475a6ebb9f45a631
- SHA256
  
  c2c71318a17f7f767e5d203d22b48f27eecae46a4f37082d7b413c51da6183b3
- SHA512
  
  b1d4c87e7d8585c16aa50499398c9a04d90bcd32ab36fbf7a357bc15abce0cd802a259cc7431de9fe2ca77aa68298aab5041157308be4601f7f7aa0c3c180b03
- SSDEEP
  
  24576:zCVnoQHgdFnJhVaqajA4+ubDaSKYqSpamUbSBe:zgnoFFnJjaqajA4+yaSK5SpamUbSBe
Score

3^/10
behavioral19 behavioral20
- Target
  
  files/x86/VSLauncher_[0MB]_[1].exe
- Size
  
  281KB
- MD5
  
  7a7bb3b0e57e4fb32c57b74e78e657ad
- SHA1
  
  f1dee943b1b6238b1466d83325c4099d189cd4b5
- SHA256
  
  87048cff2227d2901314760618d23917cfbc5cc15fc22dc355e803c5ee5fb211
- SHA512
  
  ef0c9985b640189ed9991b301cfbf9771df961e1bf67bf68c5833667db53977c9745bcfb42e059d8bb5bcd7a88253a715d86f65612dccc33514ccda3baaf24c2
- SSDEEP
  
  3072:Dawahjy56hh65Ndqp9ikqtPLy0gJmU/3j41IGvQC2mCILuCW+VoNDRUiuDhJoueT:dLlavj41nDlDOO9uunwiLWyIE2n
Score

1^/10
behavioral21 behavioral22
- Target
  
  files/x86/api-ms-win-core-processthreads-l1-1-1.dll
- Size
  
  17KB
- MD5
  
  29001f316ccfc800e2246743df9b15b3
- SHA1
  
  dc734266648d3463c1f8d88c1ce7d900a4e3b26c
- SHA256
  
  e5ea2c21fb225090f7d0db6c6990d67b1558d8e834e86513bc8ba7a43c4e7b36
- SHA512
  
  4cffc0c6f94fcd1155909993c622b9103abd7a7bce88742a10abd6a3496a334d667a39bb601f99eb174aa847d7dae056e0d9769754ca86320579b262a20a6599
- SSDEEP
  
  384:WRtwDfIe9jWfhWC+Y3DGk8ZpH3GCJErra8o7Q+Y3DGUKn8JN77hhET:ape9A5DGkiRBEXaR70DGa3hqT
Score

1^/10
behavioral23
- Target
  
  files/x86/api-ms-win-core-profile-l1-1-0.dll
- Size
  
  16KB
- MD5
  
  6ee66dca31c5cce57740d677c85b4ce7
- SHA1
  
  8969db03f98f9548caf8e2d8c7f2f5cd7071f333
- SHA256
  
  d00a0edace14715bf79dbd17b715d8a74a2300f0adb1f3fc137edfb7074c9b0a
- SHA512
  
  592e3b6c689a0d6c87079c54c3e13e6ee1fc0c5c770abc854040e85464687c46f0a558be22f8759dbc4a100810386ee379ffe4359cf9091d9afae548bc597be2
- SSDEEP
  
  384:WiIWfhWx+Y3DGk8ZpH3GCJErcx3l/r7+Y3DGU78JN77hhC6UHR:doDGkiRBEWV/rxDGT3h06UHR
Score

1^/10
behavioral24
- Target
  
  files/x86/api-ms-win-core-rtlsupport-l1-1-0.dll
- Size
  
  17KB
- MD5
  
  0069fd29263c0dd90314c48bbce852ef
- SHA1
  
  dfb99c850a69e67e85f0a0985659f325bd8f84fc
- SHA256
  
  d11093fdc1d5c9213b9b2886ce91db3ded17ef8dae1615a8c7ffbc55b8e3f79b
- SHA512
  
  71965e8dd2fd81d0c6dba4dbec8d2d1bfd4a644ef6bba4f6027de4bcdf9c07da16f27f2156c21b52e678c75f0a93a4bcbc3e1942f0a73f1eea5ff64b70662f70
- SSDEEP
  
  384:WCGeVxWfhWD+Y3DGk8ZpH3GCJErYtN+Y3DGUO8JN77hhTew:3GeVmyDGkiRBEojDGa3h9ew
Score

1^/10
behavioral25
- Target
  
  files/x86/api-ms-win-core-string-l1-1-0.dll
- Size
  
  17KB
- MD5
  
  2e5c29fc652f432b89a1afe187736c4d
- SHA1
  
  96f8480b9339411d5d8c94918e983523b1a55c56
- SHA256
  
  3807db7acf1b40c797e4d4c14a12c3806346ae56b25e205e600be3e635c18d4f
- SHA512
  
  fe1135532e18127f2cfefaaa4a19020d6c790374f648dc93383d58ee52b147d1451af01b8624234bd5d77abe2451eb3e15cbe72a19d283f00cf78c05c43041df
- SSDEEP
  
  384:W4yMv9WfhWx+Y3DGk8ZpH3GCJEr4ey/+Y3DGU888JN77hhnY1:DyMvaIDGkiRBEsnDGX3hxY1
Score

1^/10
behavioral26
- Target
  
  files/x86/api-ms-win-core-synch-l1-1-0.dll
- Size
  
  19KB
- MD5
  
  979c67ba244e5328a1a2e588ff748e86
- SHA1
  
  4c709ce527550eb7534cb6362afdb3623c98254e
- SHA256
  
  8bb38a7a59fbaa792b3d5f34f94580429588c8c592929cbd307afd5579762abc
- SHA512
  
  49f3c3319aa462b445c6a0b816e10034f6e5a9cf1250ea30b348cfa1ef71525e9f62e2f13253f61375f51fc574847de0d509cffa95103771be356327d5fef90d
- SSDEEP
  
  384:Wjdv3V0dfpkXc0vVaCWfhWt+Y3DGk8ZpH3GCJErHZpn+Y3DGUrUN8JN77hhYl:Wdv3VqpkXc0vVabkDGkiRBEtplDGEUq8
Score

1^/10
behavioral27
- Target
  
  files/x86/api-ms-win-core-synch-l1-2-0.dll
- Size
  
  17KB
- MD5
  
  659e4febc208545a2e23c0c8b881a30d
- SHA1
  
  11b890cc05c1e7c95f59eda4bb8ce8bc12b81591
- SHA256
  
  9ac63682e03d55a5d18405d336634af080dd0003b565d12a39d6d71aaa989f48
- SHA512
  
  010ab6d3971fabd2a956f891b8d9d20ef487e722443b2882a1a329830dc5c80d262e03a844cd3f5c3e4efcfbad72b9e1fbbf7d9dc6cf85ed034d84726946ce07
- SSDEEP
  
  384:WHtZ36WfhW8+Y3DGk8ZpH3GCJEFxMDD+Y3DGEC8q8JN77hhFGT:EbDGkiRBEsJDGS13hj+
Score

1^/10
behavioral28
- Target
  
  files/x86/api-ms-win-core-sysinfo-l1-1-0.dll
- Size
  
  18KB
- MD5
  
  cef4b9f680faae322170b961a3421c5b
- SHA1
  
  dd89a2d355df989bbd8648789472bfe9c14afcd5
- SHA256
  
  1fe918979f1653d63bb713d4716910d192cd09f50017a6ecb4ce026ed6285df9
- SHA512
  
  f56617290d4ac25231631d708a6c8b003bdd358bae9672f7dee539a96b292c13e04c65ba5f05937c52f73288eb3dd7cba479ed030942a0d9d3a15512548fa4a9
- SSDEEP
  
  384:WBTnWfhWt+Y3DGk8ZpH3GCJEFxqIDh/h+Y3DGER6vJ8JN77hhHWT:0TsIDGkiRBE+IxfDGM6vW3h5WT
Score

1^/10
behavioral29
- Target
  
  files/x86/api-ms-win-core-timezone-l1-1-0.dll
- Size
  
  17KB
- MD5
  
  69df2cce4528c9e38d04a461ba1f992b
- SHA1
  
  bb1d0da76cf696acf2e0f4e03e6d63fbad4325aa
- SHA256
  
  a108a8f20ded00e742a1f818ef00eb425990b6b24a2bcd060dea4d7f06d3f165
- SHA512
  
  4d02eecdda0fffc10d5509830079984c7a887b4ca3a80359aa56117b302dcfa594b0710c9f415c823d1674b5c689d31aade44f21750ccd7d53010e67f0b6f0d2
- SSDEEP
  
  384:WGOWfhWc+Y3DGk8ZpH3GCJEFxi+3T7Tu+Y3DGEu8JN77hh2KI:5XDGkiRBEm+uDGQ3h7I
Score

1^/10
behavioral30
- Target
  
  files/x86/api-ms-win-core-util-l1-1-0.dll
- Size
  
  17KB
- MD5
  
  c6553959aecd5bac01c0673cfdf86b68
- SHA1
  
  045585659843f7214c79659a88302996bfb480a2
- SHA256
  
  68bd9c086d210eb14e78f00988ba88ceaf9056c8f10746ab024990f8512a2296
- SHA512
  
  ae8e42a428202d05fea4f1e6a4d3b919b644a792567f876b0fc392b1cddb856547b4c3b433c002fded6df4d4daec8fb7235f30d1ff9f42943d9e2557ade364d6
- SSDEEP
  
  384:WyzWWfhW++Y3DGk8ZpH3GCJErst5+Y3DGU1a8JN77hh8T:35DGkiRBEQpDGw3hKT
Score

1^/10
behavioral31
- Target
  
  files/x86/api-ms-win-crt-conio-l1-1-0.dll
- Size
  
  18KB
- MD5
  
  7190cbfad2d7773d3b88ccc25533a651
- SHA1
  
  71fe2bacc14b433d51328ea0810c1a030c80d844
- SHA256
  
  4aeeae0ac9f6c1b0b8835067ea3b7fc429f353565f18de7858f4ea5d6f72072e
- SHA512
  
  b314666c400268bf261c5f9e9966ad0680435241e7a24d85b28ae4405d798b80eedb65ed8db7e8d93df90f886a6719a8b7ace8c25d0429392bc061868890c40c
- SSDEEP
  
  384:WL5WfhWO+Y3DGk8ZpH3GCJErBf+Y3DGUCU8JN77hhIw:FVDGkiRBELDGfX3hKw
Score

1^/10
behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Vidar Stealer

Stealc

Vidar

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32