Resubmissions

13-02-2024 00:43

240213-a2wycsgh57 10

12-02-2024 04:50

240212-fgplfadc73 10

General

  • Target

    2867629034ad3756930e22f7c88160253e84db1925821f1b214848feee03db10

  • Size

    225KB

  • Sample

    240212-fgplfadc73

  • MD5

    f123a3c55ee8045dfcf54a8693b0110c

  • SHA1

    b3ab0c7093b0c310e4c8d42a567612acaf76db5c

  • SHA256

    2867629034ad3756930e22f7c88160253e84db1925821f1b214848feee03db10

  • SHA512

    341da20b5ca67dcbb679471656d5ec2e4ffa40b8c1e20b47eb4bb99b311c8e671a2a18a6c55c883b32a7b86910d8c3b9f2ab9b2c1861db1753e26d733f5c4191

  • SSDEEP

    3072:Z+cb+DkUDfglo9lKQgkdBxuKQn2Y5SEsvda5XMmA5yuTDPW:3kku3xg2Y5SEaadFY

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      2867629034ad3756930e22f7c88160253e84db1925821f1b214848feee03db10

    • Size

      225KB

    • MD5

      f123a3c55ee8045dfcf54a8693b0110c

    • SHA1

      b3ab0c7093b0c310e4c8d42a567612acaf76db5c

    • SHA256

      2867629034ad3756930e22f7c88160253e84db1925821f1b214848feee03db10

    • SHA512

      341da20b5ca67dcbb679471656d5ec2e4ffa40b8c1e20b47eb4bb99b311c8e671a2a18a6c55c883b32a7b86910d8c3b9f2ab9b2c1861db1753e26d733f5c4191

    • SSDEEP

      3072:Z+cb+DkUDfglo9lKQgkdBxuKQn2Y5SEsvda5XMmA5yuTDPW:3kku3xg2Y5SEaadFY

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks