amadey | edc235f5b21f8230e1287d22bd884bc8c36424210b4c14e8e9c2f2e0dedd3f7e | Triage

Resubmissions

05-04-2024 08:20

240405-j8vtbafc3s 10

08-02-2024 23:45

240208-3r8hmach4x 10

Sharing

General

Target

edc235f5b21f8230e1287d22bd884bc8c36424210b4c14e8e9c2f2e0dedd3f7e
Size

168KB
Sample

240208-3r8hmach4x
MD5

ec093454a010a3e301e6b6e4cb5184cb
SHA1

d9912927633c0d7f95edab4a8cabacccf7ab58d6
SHA256

edc235f5b21f8230e1287d22bd884bc8c36424210b4c14e8e9c2f2e0dedd3f7e
SHA512

0fe24aa7fee463d2dc4bbcb628210bbbebc8f09495766a116da7e2ae9622daaa9d6a9a8ac2eda206a378987ec975f7cd87249d376b9775aef7fc820a7a07a027
SSDEEP

3072:42w44jo5hGz+SbvmhBGNm0T3eLQFbAwQeeyGACS:4HLyXG6H0TUGg

Score

10^/10

amadey smokeloader pub3 backdoor collection discovery spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Targets

- Target
  
  edc235f5b21f8230e1287d22bd884bc8c36424210b4c14e8e9c2f2e0dedd3f7e
- Size
  
  168KB
- MD5
  
  ec093454a010a3e301e6b6e4cb5184cb
- SHA1
  
  d9912927633c0d7f95edab4a8cabacccf7ab58d6
- SHA256
  
  edc235f5b21f8230e1287d22bd884bc8c36424210b4c14e8e9c2f2e0dedd3f7e
- SHA512
  
  0fe24aa7fee463d2dc4bbcb628210bbbebc8f09495766a116da7e2ae9622daaa9d6a9a8ac2eda206a378987ec975f7cd87249d376b9775aef7fc820a7a07a027
- SSDEEP
  
  3072:42w44jo5hGz+SbvmhBGNm0T3eLQFbAwQeeyGACS:4HLyXG6H0TUGg
Score

10^/10

amadey smokeloader pub3 backdoor collection discovery spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeysmokeloaderpub3backdoorcollectiondiscoveryspywarestealertrojan

behavioral2

amadeysmokeloaderpub3backdoorcollectiondiscoveryspywarestealertrojan