amadey | eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe
Size

224KB
MD5

d7f791f67fb593cf46c41bc7a87cc1fc
SHA1

349315a72963954fcd91a9d3e5ef479935d32aea
SHA256

eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4
SHA512

d0079b7eec9dd5fe773f1347764d5e4eab433421411fa80cc8e7d7644afebe116c0a902722162b56476a5da718a03212291eab212aaeffb29f4a6740ceed97df
SSDEEP

3072:vBcLODkfawj5E3qCOc6WBQf8bDcAJg3vXMMA5mWTW:MfalqRc6Az0FvvW

Score

10^/10

amadey smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

amadey

Version

4.14

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1144	Process not Found

Executes dropped EXE 4 IoCs

pid	Process
2428	8A84.exe
2612	Utsysc.exe
2272	Utsysc.exe
2368	Utsysc.exe

Loads dropped DLL 14 IoCs

pid	Process
2428	8A84.exe
2428	8A84.exe
1676	rundll32.exe
1676	rundll32.exe
1676	rundll32.exe
1676	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe
2456	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe
2016	eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found
1144	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2016	eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1144	Process not Found
Token: SeShutdownPrivilege	1144	Process not Found
Token: SeShutdownPrivilege	1144	Process not Found
Token: SeShutdownPrivilege	1144	Process not Found
Token: SeShutdownPrivilege	1144	Process not Found
Token: SeShutdownPrivilege	1144	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2428	8A84.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2428	1144	Process not Found	28
PID 1144 wrote to memory of 2428	1144	Process not Found	28
PID 1144 wrote to memory of 2428	1144	Process not Found	28
PID 1144 wrote to memory of 2428	1144	Process not Found	28
PID 2428 wrote to memory of 2612	2428	8A84.exe	29
PID 2428 wrote to memory of 2612	2428	8A84.exe	29
PID 2428 wrote to memory of 2612	2428	8A84.exe	29
PID 2428 wrote to memory of 2612	2428	8A84.exe	29
PID 2612 wrote to memory of 2976	2612	Utsysc.exe	32
PID 2612 wrote to memory of 2976	2612	Utsysc.exe	32
PID 2612 wrote to memory of 2976	2612	Utsysc.exe	32
PID 2612 wrote to memory of 2976	2612	Utsysc.exe	32
PID 2588 wrote to memory of 2272	2588	taskeng.exe	38
PID 2588 wrote to memory of 2272	2588	taskeng.exe	38
PID 2588 wrote to memory of 2272	2588	taskeng.exe	38
PID 2588 wrote to memory of 2272	2588	taskeng.exe	38
PID 2612 wrote to memory of 1060	2612	Utsysc.exe	39
PID 2612 wrote to memory of 1060	2612	Utsysc.exe	39
PID 2612 wrote to memory of 1060	2612	Utsysc.exe	39
PID 2612 wrote to memory of 1060	2612	Utsysc.exe	39
PID 2612 wrote to memory of 1060	2612	Utsysc.exe	39
PID 2612 wrote to memory of 1060	2612	Utsysc.exe	39
PID 2612 wrote to memory of 1060	2612	Utsysc.exe	39
PID 2612 wrote to memory of 1424	2612	Utsysc.exe	40
PID 2612 wrote to memory of 1424	2612	Utsysc.exe	40
PID 2612 wrote to memory of 1424	2612	Utsysc.exe	40
PID 2612 wrote to memory of 1424	2612	Utsysc.exe	40
PID 2612 wrote to memory of 1424	2612	Utsysc.exe	40
PID 2612 wrote to memory of 1424	2612	Utsysc.exe	40
PID 2612 wrote to memory of 1424	2612	Utsysc.exe	40
PID 2612 wrote to memory of 1676	2612	Utsysc.exe	41
PID 2612 wrote to memory of 1676	2612	Utsysc.exe	41
PID 2612 wrote to memory of 1676	2612	Utsysc.exe	41
PID 2612 wrote to memory of 1676	2612	Utsysc.exe	41
PID 2612 wrote to memory of 1676	2612	Utsysc.exe	41
PID 2612 wrote to memory of 1676	2612	Utsysc.exe	41
PID 2612 wrote to memory of 1676	2612	Utsysc.exe	41
PID 2612 wrote to memory of 1868	2612	Utsysc.exe	43
PID 2612 wrote to memory of 1868	2612	Utsysc.exe	43
PID 2612 wrote to memory of 1868	2612	Utsysc.exe	43
PID 2612 wrote to memory of 1868	2612	Utsysc.exe	43
PID 2612 wrote to memory of 1868	2612	Utsysc.exe	43
PID 2612 wrote to memory of 1868	2612	Utsysc.exe	43
PID 2612 wrote to memory of 1868	2612	Utsysc.exe	43
PID 2588 wrote to memory of 2368	2588	taskeng.exe	46
PID 2588 wrote to memory of 2368	2588	taskeng.exe	46
PID 2588 wrote to memory of 2368	2588	taskeng.exe	46
PID 2588 wrote to memory of 2368	2588	taskeng.exe	46
PID 2612 wrote to memory of 2456	2612	Utsysc.exe	47
PID 2612 wrote to memory of 2456	2612	Utsysc.exe	47
PID 2612 wrote to memory of 2456	2612	Utsysc.exe	47
PID 2612 wrote to memory of 2456	2612	Utsysc.exe	47
PID 2612 wrote to memory of 2456	2612	Utsysc.exe	47
PID 2612 wrote to memory of 2456	2612	Utsysc.exe	47
PID 2612 wrote to memory of 2456	2612	Utsysc.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe
"C:\Users\Admin\AppData\Local\Temp\eff8612cdca5d44379526dc7516585270fe29c50c98b499a51bb12fca1f0b1f4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2016

C:\Users\Admin\AppData\Local\Temp\8A84.exe
C:\Users\Admin\AppData\Local\Temp\8A84.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2976
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1676
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1868
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2456

C:\Windows\system32\taskeng.exe
taskeng.exe {286B3572-0DEF-4FDE-9D82-D8A188D2A4DC} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\818056530936

Filesize
65KB

MD5
eea36ea331af4937c40d5571598d63e2

SHA1
70a0c1f274c2f8601e53ed987a4a640c7dca6c12

SHA256
18f79871da6d7550a80c2bc3a4c967a4bbe835c2c34b6e0f071e7477119f45a9

SHA512
b5898981672b8285e8cf90787eb9332de010949af2916f4a2e9cfc92c7bdf979dc2558498dd0ec3b08f92f8f2e0ce1b3b605645362b2d917e3835f2eb94204cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A84.exe

Filesize
379KB

MD5
fb6f8c4c58f169da9d88f0942bbced66

SHA1
2743093a8f8f29f54b0b2cdf07748c2505c81623

SHA256
e5069b8a099620d018aae85ec15a73cd5f6e820c82271146a8fa0ada3aec6c34

SHA512
d59faa7e911f2e2bce252980e05df12a2894506b730184f87d1f19f90387a7c11cf0bbdb55a710692ec6418a7e762e63c22cfef31723988b3926f2599e441775

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
e5b11787373e9caac1adf453993f1c2a

SHA1
d5417f6f536a48b1996ef3c3a1f02b161c67b404

SHA256
3ba0df6fcda86029371ccf65eb0504b532ea3858b26bdf7dedbbefb5b896db18

SHA512
d1fcca2fa21e16472a7a8b896f5ce97a22e490ee9a755a19f3acd6425c1ee4a66386a6151b8dda85b3ba2cb9c715eddd6d8eebe0101a61281407179068b8b398

Download Submit
memory/1144-4-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

Filesize
88KB

Download
memory/2016-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2016-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2016-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2016-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2272-59-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2272-60-0x00000000005D4000-0x000000000060F000-memory.dmp

Filesize
236KB

Download
memory/2368-105-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2368-97-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2368-98-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2428-19-0x0000000000360000-0x00000000003CF000-memory.dmp

Filesize
444KB

Download
memory/2428-21-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2428-18-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2428-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2428-20-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2428-36-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2612-72-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2612-52-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2612-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2612-37-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2612-89-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2612-94-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2612-38-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2612-61-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2612-103-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2612-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download