General

  • Target

    d6fe24c138220392bb0ba39f01b05ddf736d8ac58d26b2c11eb74c289f4b5fd0

  • Size

    248KB

  • Sample

    240215-wzmgssdg76

  • MD5

    b1c6dad23546e283864d559f2d2eccbb

  • SHA1

    38450a5d12ea378d5d755fc35648a025a739e1ce

  • SHA256

    d6fe24c138220392bb0ba39f01b05ddf736d8ac58d26b2c11eb74c289f4b5fd0

  • SHA512

    27cd93b097d26580f017e111298e90a327bd9a956a943b1845a3b9eff841140c0f52bc911b49e154a11f9101255b926579e356cc52760c91a02dcb0a8ea51a01

  • SSDEEP

    3072:Q9kF3eaLzJAPbooM/zJfcHzyRErRwT5exavcH1Xnq05f/Nhdl:Ik3zkS/VqzkE9A5exKyT/

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      d6fe24c138220392bb0ba39f01b05ddf736d8ac58d26b2c11eb74c289f4b5fd0

    • Size

      248KB

    • MD5

      b1c6dad23546e283864d559f2d2eccbb

    • SHA1

      38450a5d12ea378d5d755fc35648a025a739e1ce

    • SHA256

      d6fe24c138220392bb0ba39f01b05ddf736d8ac58d26b2c11eb74c289f4b5fd0

    • SHA512

      27cd93b097d26580f017e111298e90a327bd9a956a943b1845a3b9eff841140c0f52bc911b49e154a11f9101255b926579e356cc52760c91a02dcb0a8ea51a01

    • SSDEEP

      3072:Q9kF3eaLzJAPbooM/zJfcHzyRErRwT5exavcH1Xnq05f/Nhdl:Ik3zkS/VqzkE9A5exKyT/

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks