Overview

overview

10

Static

static

3

3010960c4a...b8.exe

windows7-x64

10

3010960c4a...b8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3010960c4a1bafe8ef712440e65c702d80f7cd05ff6aa22fcef3071de819fcb8

  • Size

    3.1MB

  • Sample

    241226-lv7bassmcy

  • MD5

    54ac0a75d4f6e5a4fd5930904851b84d

  • SHA1

    3a5a99a6fefea2f78b9c581a6a530c8e65c6f908

  • SHA256

    3010960c4a1bafe8ef712440e65c702d80f7cd05ff6aa22fcef3071de819fcb8

  • SHA512

    f06c7adab4ab2bc59eb70efbbbdf17d9fb0c7776bf10c263de173ddc78a09f7ee96ca7bb7cabd8c671f43d221d7508f2a6923e22426839b3c8dcaefd920a0a40

  • SSDEEP

    49152:29atuP51AXhE7JlmTqs3J5nd7jQJMG+I00blNam3TnB6e9BkvY3wy:2Itu7AXy7JlmTqsZ5RQJM90KC7B+

Score
10/10
amadeyvidar9c9aa5credential_accessdiscoveryevasionstealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Targets

    • Target

      3010960c4a1bafe8ef712440e65c702d80f7cd05ff6aa22fcef3071de819fcb8

    • Size

      3.1MB

    • MD5

      54ac0a75d4f6e5a4fd5930904851b84d

    • SHA1

      3a5a99a6fefea2f78b9c581a6a530c8e65c6f908

    • SHA256

      3010960c4a1bafe8ef712440e65c702d80f7cd05ff6aa22fcef3071de819fcb8

    • SHA512

      f06c7adab4ab2bc59eb70efbbbdf17d9fb0c7776bf10c263de173ddc78a09f7ee96ca7bb7cabd8c671f43d221d7508f2a6923e22426839b3c8dcaefd920a0a40

    • SSDEEP

      49152:29atuP51AXhE7JlmTqs3J5nd7jQJMG+I00blNam3TnB6e9BkvY3wy:2Itu7AXy7JlmTqsZ5RQJM90KC7B+

    Score
    10/10
    amadey9c9aa5discoveryevasiontrojanvidarcredential_accessstealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Detect Vidar Stealer

      stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks