General

  • Target

    e2f15235131faa9d7e3d78b11090d495e61d888aa8ed7e5172e5e6090f8e2657

  • Size

    246KB

  • Sample

    240214-fj7vsshe9x

  • MD5

    5b519f1dfd87e492acbd18b10f32a1ce

  • SHA1

    a13b207dfce96e789a8a238612fb9063c0efdf72

  • SHA256

    e2f15235131faa9d7e3d78b11090d495e61d888aa8ed7e5172e5e6090f8e2657

  • SHA512

    036c76e959dc09b910828e57c354a73e5a03e3355356d999aabd269cbc0bfc70e95bfe0e603d4709df9d772ad4c69dab0681ce89d9680b10b99e8fac7dafc70e

  • SSDEEP

    3072:bKFx1SiFwEX6biGXIqdGCHO0/2W7G4wOnJ0Eque9sCGXn4nqB5AwUbEt7:eF3PFqOGX/MCHODWy2JHl4Nwx

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      e2f15235131faa9d7e3d78b11090d495e61d888aa8ed7e5172e5e6090f8e2657

    • Size

      246KB

    • MD5

      5b519f1dfd87e492acbd18b10f32a1ce

    • SHA1

      a13b207dfce96e789a8a238612fb9063c0efdf72

    • SHA256

      e2f15235131faa9d7e3d78b11090d495e61d888aa8ed7e5172e5e6090f8e2657

    • SHA512

      036c76e959dc09b910828e57c354a73e5a03e3355356d999aabd269cbc0bfc70e95bfe0e603d4709df9d772ad4c69dab0681ce89d9680b10b99e8fac7dafc70e

    • SSDEEP

      3072:bKFx1SiFwEX6biGXIqdGCHO0/2W7G4wOnJ0Eque9sCGXn4nqB5AwUbEt7:eF3PFqOGX/MCHODWy2JHl4Nwx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks