amadey

Sharing

Copy URL

Twitter E-mail

General

Target

random.exe3
Size

938KB
Sample

250322-t1813s1jw4
MD5

bcefbd57340b3f8c39699195c2946d69
SHA1

73eb2f2c99d6a7141fc577d9375ae3992ac58b4a
SHA256

8339734ef64625aea2605628510e071dccbb57941c2dd068c8b34fc859c4f2ec
SHA512

a9cdc53ff3b7b5c6913353a70a268e88a61dd1a7b4ad9f2cf5657b28ff5b612cf8c20275e070c54a31acb83ea1608d273c2217e56415e1a8c0626c6b82681b9f
SSDEEP

24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0Ju:9TvC/MTQYxsWR7a0J

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

xworm

Version

5.0

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

212.56.35.232:101

Mutex

QSR_MUTEX_LoEArEgGuZRG2bQs0E

Attributes

encryption_key
yMvSAv7B2dURg67QYU5x
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchosta
subdirectory
media

Extracted

Family

vidar

Version

13.2

Botnet

80621af4947f6f7800865a5c80d8f329

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Targets

- Target
  
  random.exe3
- Size
  
  938KB
- MD5
  
  bcefbd57340b3f8c39699195c2946d69
- SHA1
  
  73eb2f2c99d6a7141fc577d9375ae3992ac58b4a
- SHA256
  
  8339734ef64625aea2605628510e071dccbb57941c2dd068c8b34fc859c4f2ec
- SHA512
  
  a9cdc53ff3b7b5c6913353a70a268e88a61dd1a7b4ad9f2cf5657b28ff5b612cf8c20275e070c54a31acb83ea1608d273c2217e56415e1a8c0626c6b82681b9f
- SSDEEP
  
  24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0Ju:9TvC/MTQYxsWR7a0J
Score

10^/10

amadey quasar skuld vidar xworm 092155 telegram agilenet credential_access defense_evasion discovery execution persistence rat spyware stealer themida trojan upx 80621af4947f6f7800865a5c80d8f329
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Skuld family
  skuld
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  defense_evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2