amadey | af3b57d6739bba71a8aa5f368b1e4972f2552ca6305026d8d4d503e86f3c27d5 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

af3b57d6739bba71a8aa5f368b1e4972f2552ca6305026d8d4d503e86f3c27d5
Size

146KB
Sample

221126-agcnzsbh2y
MD5

026493b7ea5181a2eacdaecf4b7e0941
SHA1

75a258266f156d66156d570935c5b4e845116d8f
SHA256

af3b57d6739bba71a8aa5f368b1e4972f2552ca6305026d8d4d503e86f3c27d5
SHA512

ae7030e2e42f69dcb252f48ee562c4b7113bfa3f741bbbd39b476d3d55e60b74d7aba344778cbd1f54ed64043a527c6ca4a051db05a9e9c75a6bddb78d66e05e
SSDEEP

3072:ajaX5jsz2XD5DPFbllchTRzNxyYMKdW8ttVVt+cDg:pwzIliTRzN3MKM8nVT

Score

10^/10

amadey smokeloader backdoor collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

af3b57d6739bba71a8aa5f368b1e4972f2552ca6305026d8d4d503e86f3c27d5.exe

Resource

win10v2004-20220901-en

amadey smokeloader backdoor collection spyware stealer trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.134.65/o7VsjdSa2f/index.php

193.56.146.194/h49vlBP/index.php

Targets

- Target
  
  af3b57d6739bba71a8aa5f368b1e4972f2552ca6305026d8d4d503e86f3c27d5
- Size
  
  146KB
- MD5
  
  026493b7ea5181a2eacdaecf4b7e0941
- SHA1
  
  75a258266f156d66156d570935c5b4e845116d8f
- SHA256
  
  af3b57d6739bba71a8aa5f368b1e4972f2552ca6305026d8d4d503e86f3c27d5
- SHA512
  
  ae7030e2e42f69dcb252f48ee562c4b7113bfa3f741bbbd39b476d3d55e60b74d7aba344778cbd1f54ed64043a527c6ca4a051db05a9e9c75a6bddb78d66e05e
- SSDEEP
  
  3072:ajaX5jsz2XD5DPFbllchTRzNxyYMKdW8ttVVt+cDg:pwzIliTRzN3MKM8nVT
Score

10^/10

amadey smokeloader backdoor collection spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

amadeysmokeloaderbackdoorcollectionspywarestealertrojan

© 2018-2024

Terms | Privacy