General

  • Target

    93446b8aac27c90e5f9a9fc9dd8376cac7fe8c94977bfe9c50326b2aea247142

  • Size

    231KB

  • Sample

    240213-z9b1lahd6t

  • MD5

    7e9e73cd5e7ae3348e503347d4210cd9

  • SHA1

    e5f4d2cddc027915f709e5c728fe268a790632b7

  • SHA256

    93446b8aac27c90e5f9a9fc9dd8376cac7fe8c94977bfe9c50326b2aea247142

  • SHA512

    2414ebe0cb8824268f3fb64f9f43b1cc4c6491a8f2362526730f8e0a082477145d827b0ffbe87f174a82cc742ab6f10f589c1c442d87955e7d6a52f192431ff4

  • SSDEEP

    3072:HdKhh58jcFwwXtgQG/JzUldOZL9GwPc41N/9x4un5IzmXnvnHn5zlUz7:ohvjFRLG/nZxGwPcKN/gmIzOvxM

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      93446b8aac27c90e5f9a9fc9dd8376cac7fe8c94977bfe9c50326b2aea247142

    • Size

      231KB

    • MD5

      7e9e73cd5e7ae3348e503347d4210cd9

    • SHA1

      e5f4d2cddc027915f709e5c728fe268a790632b7

    • SHA256

      93446b8aac27c90e5f9a9fc9dd8376cac7fe8c94977bfe9c50326b2aea247142

    • SHA512

      2414ebe0cb8824268f3fb64f9f43b1cc4c6491a8f2362526730f8e0a082477145d827b0ffbe87f174a82cc742ab6f10f589c1c442d87955e7d6a52f192431ff4

    • SSDEEP

      3072:HdKhh58jcFwwXtgQG/JzUldOZL9GwPc41N/9x4un5IzmXnvnHn5zlUz7:ohvjFRLG/nZxGwPcKN/gmIzOvxM

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks