amadey

General

Target

2x.rar
Size

14.6MB
Sample

240619-q57f9s1fqd
MD5

c1159fc3286eb949217ee436bc31a14a
SHA1

29ea7fe377e9ffb2d7b3cb899b8b618de17241da
SHA256

fb389983ad7ef0623d3318ca5e7aa2b484692affa283929504133f825329ea4e
SHA512

39e92d5fc5430b731cacd8e70b2acfd58a48d599b79f66c86e2ce5de153a864c79dc07836291e31af38c533fd15915b5650339e353fea14c490c2d7c0f7f0980
SSDEEP

393216:X7qOAkrPBtzGBwT2DfUomq1CYj97IIY9j5MugpH5NWr9HMLvJLr:Ll55tz+wTrFq1CY57ObMuyH5NWRHGZ

Score

10^/10

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

C2

http://proresupdate.com

Attributes

install_dir
4bbb72a446
install_file
Hkbsse.exe
strings_key
1ebbd218121948a356341fff55521237
url_paths
/h9fmdW5/index.php

rc4.plain

Targets

- Target
  
  6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3/files/Setup.exe
- Size
  
  5.5MB
- MD5
  
  9d8649afd4141d960b6545998fbc423b
- SHA1
  
  3ddd700caaebab0a9d2ed640f235d4b716a505de
- SHA256
  
  db2457caa1ccd65e63718b9e28789a12e17bc7a038975fba4f07dcd9f38e7016
- SHA512
  
  0a50681e956df3187a718570fd54600365e8ad805b7e291eb5fc6169df47a6d31596f890419aa36a4f3d983b17eb21eae9e2e51cf5755f8b2b890ba87b752da2
- SSDEEP
  
  49152:88iGSBp0o5I9vl6yoPgbIXayfQUxldpSphlWopc9MTHKsb48bHVGfKiaaQATZ79z:bihyoPgbInQEHY3N3sNfxLlC1Dxeh
Score

10^/10

stealc vidar stealer discovery spyware
- Detect Vidar Stealer
  stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e/files/Setup.exe
- Size
  
  202KB
- MD5
  
  64179e64675e822559cac6652298bdfc
- SHA1
  
  cceed3b2441146762512918af7bf7f89fb055583
- SHA256
  
  c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
- SHA512
  
  ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
- SSDEEP
  
  3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw
Score

10^/10

stealc vidar stealer amadey xmrig ffb1b9 discovery miner spyware trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Vidar Stealer
  stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral3 behavioral4