amadey | 510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13 | Triage

Sharing

General

Target

510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13
Size

217KB
Sample

240212-rm127sfg6t
MD5

b0929538ca1c6518ce2280c62daf4383
SHA1

5cae6b0c7254659c66ca14e7d6e1b5bfc481acf4
SHA256

510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13
SHA512

c22881eb36ea57b2594c452c5fd5011f0a03952f7cb33173ba25f4a2a94aa1cada626ac2b37e994438459e5bbbbe0db1cd5fcf4a910316dbfd0b679a6e442e65
SSDEEP

3072:h3tinQnUoC0pvo/UwLsxGqNWUE7FO2XnazDDP0zgGCV5HVFUjWjJkp:h3cnQnO+vAsxzGO0a/DP005HYjWjm

Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Targets

- Target
  
  510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13
- Size
  
  217KB
- MD5
  
  b0929538ca1c6518ce2280c62daf4383
- SHA1
  
  5cae6b0c7254659c66ca14e7d6e1b5bfc481acf4
- SHA256
  
  510e24972c4ed6f2529fb8484f55eec70ce2b5e31075cc0b3e5446bd0ead9b13
- SHA512
  
  c22881eb36ea57b2594c452c5fd5011f0a03952f7cb33173ba25f4a2a94aa1cada626ac2b37e994438459e5bbbbe0db1cd5fcf4a910316dbfd0b679a6e442e65
- SSDEEP
  
  3072:h3tinQnUoC0pvo/UwLsxGqNWUE7FO2XnazDDP0zgGCV5HVFUjWjJkp:h3cnQnO+vAsxzGO0a/DP005HYjWjm
Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeysmokeloaderpub3backdoorspywarestealertrojan

behavioral2

amadeysmokeloaderpub3backdoortrojan