Overview

overview

10

Static

static

3

9eabf4c63e...fd.exe

windows7-x64

10

9eabf4c63e...fd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd

  • Size

    251KB

  • Sample

    240215-1vzzjsad86

  • MD5

    83fc58bf7eeea13c8750e29db4859609

  • SHA1

    c7bcdc80a1aa469f5d41215bdfa60a0437645936

  • SHA256

    9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd

  • SHA512

    c0b9ed5d9b21ccdf915c20e6319dff7698e9ef5b705166f1a8696adad86ac58f0c09cf4b186d07a96d38f221ee5a7b5e0eb6102ff6a226b0457dc521f6c0dddf

  • SSDEEP

    3072:NBQWCIDLD4XfZehN+5EmJi6nt+xVby3PVPKUXQZM/YfwbG6nSRIRETsFTWmBYBXs:NhbLDK2Ny5Ey/VKUOMQoBnGQWmWBj2

Score
10/10
amadeysmokeloaderpub2backdoorspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2022

C2

http://gxutc2c.com/tmp/index.php

http://proekt8.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru
Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd

    • Size

      251KB

    • MD5

      83fc58bf7eeea13c8750e29db4859609

    • SHA1

      c7bcdc80a1aa469f5d41215bdfa60a0437645936

    • SHA256

      9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd

    • SHA512

      c0b9ed5d9b21ccdf915c20e6319dff7698e9ef5b705166f1a8696adad86ac58f0c09cf4b186d07a96d38f221ee5a7b5e0eb6102ff6a226b0457dc521f6c0dddf

    • SSDEEP

      3072:NBQWCIDLD4XfZehN+5EmJi6nt+xVby3PVPKUXQZM/YfwbG6nSRIRETsFTWmBYBXs:NhbLDK2Ny5Ey/VKUOMQoBnGQWmWBj2

    Score
    10/10
    amadeysmokeloaderpub2backdoorspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks