amadey | 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21 | Triage

Sharing

General

Target

22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21
Size

217KB
Sample

240212-w2ppyace75
MD5

34d6101588b61ba8e9b4d0c536ecd77c
SHA1

91e70f4960d0fcd1c6af828dfaedc3f705ebc773
SHA256

22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21
SHA512

79dd27db42e58f79353b4f3396d8f5b7a286b99a9b5223671bf4fe5c653a9d9bbbe792f1307d0c1002c1e44e7dfdb218d0ccab06f5e3df7cafb042572546c2c7
SSDEEP

3072:iH2KZ8t0X6rJrqodM+dxv1G086+6jP00ztLR5HVFUjWjJkp:iHfZ8S+RHHv1GT+P0eVR5HYjWjm

Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Targets

- Target
  
  22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21
- Size
  
  217KB
- MD5
  
  34d6101588b61ba8e9b4d0c536ecd77c
- SHA1
  
  91e70f4960d0fcd1c6af828dfaedc3f705ebc773
- SHA256
  
  22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21
- SHA512
  
  79dd27db42e58f79353b4f3396d8f5b7a286b99a9b5223671bf4fe5c653a9d9bbbe792f1307d0c1002c1e44e7dfdb218d0ccab06f5e3df7cafb042572546c2c7
- SSDEEP
  
  3072:iH2KZ8t0X6rJrqodM+dxv1G086+6jP00ztLR5HVFUjWjJkp:iHfZ8S+RHHv1GT+P0eVR5HYjWjm
Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeysmokeloaderpub3backdoorspywarestealertrojan

behavioral2

amadeysmokeloaderpub3backdoorspywarestealertrojan