amadey | e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3 | Triage

Submit
Reports

Overview

overview

Static

static

3

e4618fdcd5...b3.exe

windows7-x64

e4618fdcd5...b3.exe

windows10-2004-x64

Sharing

General

Target

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe
Size

223KB
Sample

240207-1jw4hsbee5
MD5

e5f1b768a60cb6457200a8056398f60b
SHA1

676c1edbeedffb2e18e40181ff241dfa774c285a
SHA256

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3
SHA512

6ae768714ac49dcc232cad66181ba8e366582cd911ffbab3a7d8f4f76680f0ad9f63c48ef4eb47290a317357c970e094ba321c2dbb59a770c96c1f5dd669cf92
SSDEEP

3072:g2Zy6hujxaMXP3OwoBXYQk9guGjRN+WMvtOAM49uHZZFGGgjaaSpGq/B:g2nEaMmRBIYu6N+1N4HZx9p7

Score

10^/10

amadey smokeloader pub2 backdoor spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe

Resource

win7-20231215-en

amadey smokeloader pub2 backdoor spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe

Resource

win10v2004-20231222-en

amadey smokeloader pub2 backdoor spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2022

C2

http://gxutc2c.com/tmp/index.php

http://proekt8.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Targets

- Target
  
  e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3.exe
- Size
  
  223KB
- MD5
  
  e5f1b768a60cb6457200a8056398f60b
- SHA1
  
  676c1edbeedffb2e18e40181ff241dfa774c285a
- SHA256
  
  e4618fdcd51ef710ca424f7710683e49f7e31b9c8f1cf6e4ce6a118a5c14a5b3
- SHA512
  
  6ae768714ac49dcc232cad66181ba8e366582cd911ffbab3a7d8f4f76680f0ad9f63c48ef4eb47290a317357c970e094ba321c2dbb59a770c96c1f5dd669cf92
- SSDEEP
  
  3072:g2Zy6hujxaMXP3OwoBXYQk9guGjRN+WMvtOAM49uHZZFGGgjaaSpGq/B:g2nEaMmRBIYu6N+1N4HZx9p7
Score

10^/10

amadey smokeloader pub2 backdoor spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

amadeysmokeloaderpub2backdoorspywarestealertrojan

behavioral2

amadeysmokeloaderpub2backdoorspywarestealertrojan

© 2018-2024

Terms | Privacy