amadey | fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

General

Target

993609639C915D36F2821BAD869A17D4.exe
Size

424KB
MD5

993609639c915d36f2821bad869a17d4
SHA1

899988523cc0bde90c28889a5e32b273757915ac
SHA256

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
SHA512

147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32
SSDEEP

6144:6O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHU:axBuBTExX+AoLzTUKdvST/BoKupOjHz

Score

10^/10

amadey smokeloader 94bf1c pub1 backdoor trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

94bf1c

C2

http://185.172.128.116

Attributes

install_dir
263c5c4d73
install_file
Hkbsse.exe
strings_key
70b7c8f26e3bc561578bd326a2eadf5a
url_paths
/Mb3GvQs8/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Hkbsse.exe1.exe

pid process

2592 Hkbsse.exe
2616 1.exe
Loads dropped DLL 3 IoCs

Processes:

993609639C915D36F2821BAD869A17D4.exeHkbsse.exe

pid process

2428 993609639C915D36F2821BAD869A17D4.exe
2592 Hkbsse.exe
2592 Hkbsse.exe
Drops file in Windows directory 1 IoCs

Processes:

993609639C915D36F2821BAD869A17D4.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job 993609639C915D36F2821BAD869A17D4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

993609639C915D36F2821BAD869A17D4.exe

pid process

2428 993609639C915D36F2821BAD869A17D4.exe

pid	process
2592	Hkbsse.exe
2616	1.exe

pid	process
2428	993609639C915D36F2821BAD869A17D4.exe
2592	Hkbsse.exe
2592	Hkbsse.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	993609639C915D36F2821BAD869A17D4.exe

pid	process
2428	993609639C915D36F2821BAD869A17D4.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

993609639C915D36F2821BAD869A17D4.exeHkbsse.exe

description	pid	process	target process
PID 2428 wrote to memory of 2592	2428	993609639C915D36F2821BAD869A17D4.exe	Hkbsse.exe
PID 2428 wrote to memory of 2592	2428	993609639C915D36F2821BAD869A17D4.exe	Hkbsse.exe
PID 2428 wrote to memory of 2592	2428	993609639C915D36F2821BAD869A17D4.exe	Hkbsse.exe
PID 2428 wrote to memory of 2592	2428	993609639C915D36F2821BAD869A17D4.exe	Hkbsse.exe
PID 2592 wrote to memory of 2616	2592	Hkbsse.exe	1.exe
PID 2592 wrote to memory of 2616	2592	Hkbsse.exe	1.exe
PID 2592 wrote to memory of 2616	2592	Hkbsse.exe	1.exe
PID 2592 wrote to memory of 2616	2592	Hkbsse.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\993609639C915D36F2821BAD869A17D4.exe
"C:\Users\Admin\AppData\Local\Temp\993609639C915D36F2821BAD869A17D4.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe"
3⤵
- Executes dropped EXE
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe

Filesize
239KB

MD5
e0a475f2ac0e9c3dad905d8ce84f62cb

SHA1
6b789faafed3e4e2d318c9ec9300f9ba3c865374

SHA256
b59e52b83b0a0cde0085b3ba306316a86a845a974cbeaf45da905476b6db53bb

SHA512
a23d30a9fc9d2560fe37b6d9ab334576e956412ca7841f63f051a54aa77a4e3bcf6b1b5e4e28304b06fde02028b20c6ff1297f750c4735281168164d3397cf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\969036373035

Filesize
62KB

MD5
5990bda4c92c547a3bdab4af6388ff5f

SHA1
a6ef8d204513f5eb9e9889a145f852af37786a07

SHA256
ef08f5fb0553da750afef1b74ec540d106b2253216cf2e9d51ff547f6530748d

SHA512
c96faccc03feccd73aabfc88160ae9e0818370c2dc631daeb738a9ada52f958c473ff8240a09281516d127b045edafd5d232e61d949fdae3ac8e1d47c58ae566

Download Submit
\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

Filesize
424KB

MD5
993609639c915d36f2821bad869a17d4

SHA1
899988523cc0bde90c28889a5e32b273757915ac

SHA256
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

SHA512
147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32

Download Submit
memory/2428-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2616-38-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2616-37-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2616-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2616-42-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2616-41-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2616-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads