General

  • Target

    ceb677cfc7a99f7dd569fd9d324dc80193e8baec73afcef9324e1bdc2125b130

  • Size

    230KB

  • Sample

    240213-krhm4adh31

  • MD5

    de36e3595f602299015c17b281d220a5

  • SHA1

    12b7726bcb3c27157c103bfec6213678ad62aed6

  • SHA256

    ceb677cfc7a99f7dd569fd9d324dc80193e8baec73afcef9324e1bdc2125b130

  • SHA512

    c672cc8fd3df1c3013c90e5c31f9f63ab63d65f272ed10c194d15cc7a5de118aae118510b0114dd10122db76760201dbf1f79afb8945e2a1ab4cd37368b3ef08

  • SSDEEP

    3072:1qKNhjpqxmemFwMnvo2DOiwtvpzXzFHF5WYD4HCanq17xOebXnh7y5rYRTS64:JNBfF3BDOXtvRXdWyiHq1dOezh/g6

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      ceb677cfc7a99f7dd569fd9d324dc80193e8baec73afcef9324e1bdc2125b130

    • Size

      230KB

    • MD5

      de36e3595f602299015c17b281d220a5

    • SHA1

      12b7726bcb3c27157c103bfec6213678ad62aed6

    • SHA256

      ceb677cfc7a99f7dd569fd9d324dc80193e8baec73afcef9324e1bdc2125b130

    • SHA512

      c672cc8fd3df1c3013c90e5c31f9f63ab63d65f272ed10c194d15cc7a5de118aae118510b0114dd10122db76760201dbf1f79afb8945e2a1ab4cd37368b3ef08

    • SSDEEP

      3072:1qKNhjpqxmemFwMnvo2DOiwtvpzXzFHF5WYD4HCanq17xOebXnh7y5rYRTS64:JNBfF3BDOXtvRXdWyiHq1dOezh/g6

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks