amadey | 396d8d11ef9b4a8817cd4ea51de19407d9c98a9696ddf7c8a5d28f29c856a668 | Triage

Sharing

General

Target

396d8d11ef9b4a8817cd4ea51de19407d9c98a9696ddf7c8a5d28f29c856a668
Size

172KB
Sample

240202-ffs78sgdfj
MD5

3b37f011e11c5cc80ecaed20de1e9cef
SHA1

5d76f95fc61c279d25bbb989991d2e319212386c
SHA256

396d8d11ef9b4a8817cd4ea51de19407d9c98a9696ddf7c8a5d28f29c856a668
SHA512

24b4caf8117e145294ac3d0fea9cb6af2a38107c4ae72494e8ead298547c2ff68a4edc20221d6511a790d73e517f5449c3d7d9fd4364666d228c80e516ab1e01
SSDEEP

3072:wAtL2vJQNJf0yslZZOAFW3K+6Pr01weTS65ihx6TN45:wOLeJQv0nG03Pr0yFh7

Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Targets

- Target
  
  396d8d11ef9b4a8817cd4ea51de19407d9c98a9696ddf7c8a5d28f29c856a668
- Size
  
  172KB
- MD5
  
  3b37f011e11c5cc80ecaed20de1e9cef
- SHA1
  
  5d76f95fc61c279d25bbb989991d2e319212386c
- SHA256
  
  396d8d11ef9b4a8817cd4ea51de19407d9c98a9696ddf7c8a5d28f29c856a668
- SHA512
  
  24b4caf8117e145294ac3d0fea9cb6af2a38107c4ae72494e8ead298547c2ff68a4edc20221d6511a790d73e517f5449c3d7d9fd4364666d228c80e516ab1e01
- SSDEEP
  
  3072:wAtL2vJQNJf0yslZZOAFW3K+6Pr01weTS65ihx6TN45:wOLeJQv0nG03Pr0yFh7
Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeysmokeloaderpub3backdoorspywarestealertrojan

behavioral2

amadeysmokeloaderpub3backdoortrojan