Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    299KB

  • Sample

    230206-w52hxaae6s

  • MD5

    d533a3f343dbf28146a125e969d272fb

  • SHA1

    c7ab19850b2b17e0b5d5cb28422e54ea649ff5c5

  • SHA256

    e17b425b67cf8e3b6c6f6d788ef4bccd7fd69b79a0ca7e5c6fcbdb8305568dd7

  • SHA512

    e30ebabfe9ff1812ab5c9ee8ef72d65e6578bc46c84f30028eb584726ac5a81ccd710d47d406ef475651abc713b7ae3764e23af91f2539e2ec7774335fb500c3

  • SSDEEP

    3072:CgMb6bh/LvtDRGUClMyJCWl8AmH9y4wptEuCLb4u8+SeuQjiMTE5rFa1M:C1C/LFgUNyJCPrdy4o/cbeouQj9gFa

Score
10/10
amadeysmokeloaderbackdoortrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Targets

    • Target

      file.exe

    • Size

      299KB

    • MD5

      d533a3f343dbf28146a125e969d272fb

    • SHA1

      c7ab19850b2b17e0b5d5cb28422e54ea649ff5c5

    • SHA256

      e17b425b67cf8e3b6c6f6d788ef4bccd7fd69b79a0ca7e5c6fcbdb8305568dd7

    • SHA512

      e30ebabfe9ff1812ab5c9ee8ef72d65e6578bc46c84f30028eb584726ac5a81ccd710d47d406ef475651abc713b7ae3764e23af91f2539e2ec7774335fb500c3

    • SSDEEP

      3072:CgMb6bh/LvtDRGUClMyJCWl8AmH9y4wptEuCLb4u8+SeuQjiMTE5rFa1M:C1C/LFgUNyJCPrdy4o/cbeouQj9gFa

    Score
    10/10
    smokeloaderbackdoortrojanamadeyvmprotect

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Smokeloader packer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks