amadey | 33f640b875bb7ce1176888c74bfb7b4e09e102ee229cecba7cc1299a016c0243 | Triage

Submit
Reports

Overview

overview

Static

static

bee21ffa93...bc.exe

windows7-x64

bee21ffa93...bc.exe

windows10-2004-x64

Sharing

General

Target

bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc
Size

126KB
Sample

221124-ttgy1sab8s
MD5

b965774d46e28c1f52a13288090b71cb
SHA1

75ba3a3361a96231ebbc578dccb2531f78532c91
SHA256

33f640b875bb7ce1176888c74bfb7b4e09e102ee229cecba7cc1299a016c0243
SHA512

8c4e7e94a67767be91076915f76379cc03393a75f26616178e06ef631bc341e5e128c30b0aae014bc0b65438f7f77538ca408b257c56b6f878f50a3b9e814cda
SSDEEP

3072:01BIrLaj1H8YCUiqMPHx57YlJUGi9SKrhmjs3:01GS1cvpqK7caGoSKT3

Score

10^/10

amadey smokeloader backdoor persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc.exe

Resource

win7-20220901-en

smokeloader backdoor trojan

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc.exe

Resource

win10v2004-20220812-en

amadey smokeloader backdoor persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

193.56.146.194/h49vlBP/index.php

1h3art.me/i4kvjd3xc/index.php

Targets

- Target
  
  bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc
- Size
  
  186KB
- MD5
  
  f57f3df41e4e1123477d9e31a319e463
- SHA1
  
  bea4a79f6661843f75f41ea9d7ecd5afdfd9fb09
- SHA256
  
  bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc
- SHA512
  
  9d12426c7fe90ce67ad5f0c3e6fa3ca64ce91484550398e6b11ca6b22aa7d88ee1f678ae3cc120ae2685d23636730c77df74af48334b6e87703999650b38dfe1
- SSDEEP
  
  3072:VsWWyp/VkRjnY7YLvDNjrQuP5UZ+BXlzUW9Bi9SKrAtMUrH:NW+VxYLLNj0dZ+Bh9BoSKct7
Score

10^/10

smokeloader backdoor trojan amadey persistence
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

amadeysmokeloaderbackdoorpersistencetrojan

© 2018-2024

Terms | Privacy