amadey | 0b7458d5214e277adc1a91651115dfaf1559dc80fbb874a13b8e97a7cc77f087 | Triage

Submit
Reports

Overview

overview

Static

static

42aed74af7...85.exe

windows7-x64

42aed74af7...85.exe

windows10-2004-x64

Sharing

General

Target

42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885
Size

115KB
Sample

221125-3az5xseb36
MD5

7c952d856d2f9e00383d6b6a13fe2269
SHA1

ba0c9e6ae23fd4d9542956957478e2641f92b275
SHA256

0b7458d5214e277adc1a91651115dfaf1559dc80fbb874a13b8e97a7cc77f087
SHA512

d717b65d40bbb26cc0c52d66a5ac697a2348432d86baea4f71282f94afe9fb589ecbad4fd70baf19ed9ea9e18f8a75a8481947c54b06c6e909fa0f66651cef6f
SSDEEP

3072:jT+/TT4vLcGdh7qMxBhj/HnZW9rH2L/345Qk:jy/T0cGdpBhjBW9rH2LQ6k

Score

10^/10

amadey smokeloader backdoor collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885.exe

Resource

win7-20221111-en

smokeloader backdoor trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885.exe

Resource

win10v2004-20220901-en

amadey smokeloader backdoor collection spyware stealer trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.134.65/o7VsjdSa2f/index.php

193.56.146.194/h49vlBP/index.php

Targets

- Target
  
  42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885
- Size
  
  167KB
- MD5
  
  6a94a4e3527df402262f107808151912
- SHA1
  
  b15f74212b1deb0467449d71dfd861f5f451b18d
- SHA256
  
  42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885
- SHA512
  
  ed596ab03158c78dc27a6736f7ae6403c8b70aed20f73073b6da4d8d17ee533804a0f693ce66df1edef0fa676575ee795f565fc434d15a384ab0a63cbe6b9d47
- SSDEEP
  
  3072:TQ9aPFUzFUulC8S55iYBzvNnUCv9zvT+dHSjOc2m2t:Ka9uemCdiYBzFnUCv9z7Fjox
Score

10^/10

smokeloader backdoor trojan amadey collection spyware stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

amadeysmokeloaderbackdoorcollectionspywarestealertrojan

© 2018-2024

Terms | Privacy