amadey | 679e55f3d3d0080d45e352c36c58fcd94fdaacc6f74ffc7cbb19b03911ef5611 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

679e55f3d3d0080d45e352c36c58fcd94fdaacc6f74ffc7cbb19b03911ef5611
Size

188KB
Sample

221125-aq9p3sch5w
MD5

a1869e1eecba9d00d4de3c9f274374ad
SHA1

5dbefd0a2c7b3bd79a7664ff9ca517a4257b42f9
SHA256

679e55f3d3d0080d45e352c36c58fcd94fdaacc6f74ffc7cbb19b03911ef5611
SHA512

2a6bf01aa251d3b44642c8c6ed92bbdb6b6f9ac4cfb707b6b98982568ccfad985da7f22018da3bdc8a120836e6de3422569023aa16d28af3ebc80c921a77e891
SSDEEP

3072:CH9bzazHTZrY/TxLiUE41a9B2D5E5JLmr6CzHyTut8IQZB0YZ9Y2Ozh:o9idiLjE4sBfJeHybRZnZ9VO9

Score

10^/10

amadey smokeloader backdoor collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

679e55f3d3d0080d45e352c36c58fcd94fdaacc6f74ffc7cbb19b03911ef5611.exe

Resource

win10v2004-20220812-en

amadey smokeloader backdoor collection spyware stealer trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.134.65/o7VsjdSa2f/index.php

Targets

- Target
  
  679e55f3d3d0080d45e352c36c58fcd94fdaacc6f74ffc7cbb19b03911ef5611
- Size
  
  188KB
- MD5
  
  a1869e1eecba9d00d4de3c9f274374ad
- SHA1
  
  5dbefd0a2c7b3bd79a7664ff9ca517a4257b42f9
- SHA256
  
  679e55f3d3d0080d45e352c36c58fcd94fdaacc6f74ffc7cbb19b03911ef5611
- SHA512
  
  2a6bf01aa251d3b44642c8c6ed92bbdb6b6f9ac4cfb707b6b98982568ccfad985da7f22018da3bdc8a120836e6de3422569023aa16d28af3ebc80c921a77e891
- SSDEEP
  
  3072:CH9bzazHTZrY/TxLiUE41a9B2D5E5JLmr6CzHyTut8IQZB0YZ9Y2Ozh:o9idiLjE4sBfJeHybRZnZ9VO9
Score

10^/10

amadey smokeloader backdoor collection spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

amadeysmokeloaderbackdoorcollectionspywarestealertrojan

© 2018-2024

Terms | Privacy