amadey | d16704455547e98721bdc8ebc9a233376b24f086469b707fccf10da54eb77744 | Triage

Sharing

General

Target

d16704455547e98721bdc8ebc9a233376b24f086469b707fccf10da54eb77744
Size

229KB
Sample

221228-pakhksad46
MD5

96aa7e5cd62710829a1f3b17922fc117
SHA1

edd95f2c58e1c5dde12aff974e6d42ea7469695b
SHA256

d16704455547e98721bdc8ebc9a233376b24f086469b707fccf10da54eb77744
SHA512

e0d619d48fde2af62fef20ec4ff65e0d24852150ca560d6461a851843f775f516fa8cb63d32ec6ef2556aa8d53a3c78c4da529a91b67a9ce59169c377c162f74
SSDEEP

3072:kXRcBLv/M7j5vuvW1YPG8vqGqSMiustPtYKs/xAI99:G6LvE7N1WlcLQ1YDZ

Score

10^/10

amadey gozi smokeloader 22500 backdoor banker collection isfb spyware stealer trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://

s28bxcw.xyz

config.edgse.skype.com

http://89.43.107.7

Attributes

base_path
/recycle/
build
250249
exe_type
loader
extension
.alo
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

amadey

Version

3.63

C2

62.204.41.165/g8sjnd3xe/index.php

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://5icvzwz.xyz

http://185.14.45.80

Attributes

base_path
/recycle/
build
250249
exe_type
worker
extension
.alo
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  d16704455547e98721bdc8ebc9a233376b24f086469b707fccf10da54eb77744
- Size
  
  229KB
- MD5
  
  96aa7e5cd62710829a1f3b17922fc117
- SHA1
  
  edd95f2c58e1c5dde12aff974e6d42ea7469695b
- SHA256
  
  d16704455547e98721bdc8ebc9a233376b24f086469b707fccf10da54eb77744
- SHA512
  
  e0d619d48fde2af62fef20ec4ff65e0d24852150ca560d6461a851843f775f516fa8cb63d32ec6ef2556aa8d53a3c78c4da529a91b67a9ce59169c377c162f74
- SSDEEP
  
  3072:kXRcBLv/M7j5vuvW1YPG8vqGqSMiustPtYKs/xAI99:G6LvE7N1WlcLQ1YDZ
Score

10^/10

amadey gozi smokeloader 22500 backdoor banker collection isfb spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Detects Smokeloader packer
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeygozismokeloader22500backdoorbankercollectionisfbspywarestealertrojan