Overview

overview

10

Static

static

3

#!~#0Pen_2...up.exe

windows7-x64

10

#!~#0Pen_2...up.exe

windows10-2004-x64

10

#!~#0Pen_2...up.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    #!~#0Pen_2025_P@$SW0RD!~!~.zip

  • Size

    18.1MB

  • Sample

    240627-wc1qxasekc

  • MD5

    3976f15e62ecc10eb8af31fbee92e872

  • SHA1

    8679082ad531a9107911f7c7667ceee4e3697d56

  • SHA256

    6f130c92d80d32761afc569d500cd7f82aaaa753209cbb22773c79fdd72da663

  • SHA512

    33231beeb05c3ff00cb85a92995e2ed2176f15e811511d2dffbf22a230375a1a1502999f00a8090ff6c8bb8fca9cc333a1c9f0cd7f27b5e609fbee862ce08bff

  • SSDEEP

    393216:wIDmIN2FdaCiJ9c+ukCvq4cOqFfMLragorEEy++oAQhvyugYtx6XI3WrBqWh:wCAFLic+ukCCLZODWeb4y4Itlz

Score
10/10
amadeystealcvidar3b29eediscoveryspywarestealertrojan

Malware Config

Extracted

Family

vidar

C2

https://aliszon.xyz

https://t.me/g067n

https://steamcommunity.com/profiles/76561199707802586
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6

Extracted

Family

amadey

Version

4.31

Botnet

3b29ee

C2

http://downloadfilesoft.com

http://downloadsoftfiles.com

http://filesoftdownload.com
Attributes
  • strings_key

    ef32af2366669933e54bb0548c8528f9

  • url_paths

    /h9fmdW5/index.php

    /h9fmdW6/index.php

    /h9fmdW7/index.php

rc4.plain

Targets

    • Target

      #!~#0Pen_2025_P@$SW0RD!~!~/Setup.exe

    • Size

      7.2MB

    • MD5

      40fcb4ff0e79abf3d597d88bf87c046c

    • SHA1

      9adf2f749b6be1b31fe7c87b9c0a556f99675db7

    • SHA256

      9b1f4d88a2d0db1954030c38bbaac8f7f7a37575536f4124ebfe074936f14b98

    • SHA512

      12db1efbb48ab196c8e2ed2272b6e9c1a562b251dbecfd1923e22cc621ddc2205b458f500885a51c23b9bc3a64a4d65c64f526ab9e86ee1783382bcd639d0c4b

    • SSDEEP

      196608:+pmkexrpmcylkZu98hFHgyqWg9eRvKYgWc:+pmkeDmcKSIyweRvKYgWc

    Score
    10/10
    amadeystealcvidar3b29eediscoveryspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks