General

  • Target

    basic.exe

  • Size

    253KB

  • Sample

    240204-1yp9hsdgcn

  • MD5

    9a8b143fffb681bc102a279c5ce95c9f

  • SHA1

    928d90aa435e7b16bbad8dc37afc5bda23053519

  • SHA256

    f095ee1a9fd422f9a5800748836d9ed5fc41cd821e3e2e3b578f88c4ef6d1c8c

  • SHA512

    818df38fda0d85353123a4cdf5ec1abf2a282a2008b6dcdb53c9db4982c9bbc89ea315a673250bd5f986263ddb3f9ed0950aa42cd8d9b2db64c3830974221c02

  • SSDEEP

    3072:0GU27+ec+fm/+tdkbN0s8xph0LR/hSMXlk4ZqKFya5XB67TTlHAqv7:fm+fm/c88ph0lhSMXlBXBWnlHAqv

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      basic.exe

    • Size

      253KB

    • MD5

      9a8b143fffb681bc102a279c5ce95c9f

    • SHA1

      928d90aa435e7b16bbad8dc37afc5bda23053519

    • SHA256

      f095ee1a9fd422f9a5800748836d9ed5fc41cd821e3e2e3b578f88c4ef6d1c8c

    • SHA512

      818df38fda0d85353123a4cdf5ec1abf2a282a2008b6dcdb53c9db4982c9bbc89ea315a673250bd5f986263ddb3f9ed0950aa42cd8d9b2db64c3830974221c02

    • SSDEEP

      3072:0GU27+ec+fm/+tdkbN0s8xph0LR/hSMXlk4ZqKFya5XB67TTlHAqv7:fm+fm/c88ph0lhSMXlBXBWnlHAqv

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Fabookie payload

    • Detect ZGRat V1

    • Fabookie

      Fabookie is facebook account info stealer.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Sets service image path in registry

    • Stops running service(s)

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks