Overview

overview

10

Static

static

10

fa6aa0dd99...d7.exe

windows7-x64

10

fa6aa0dd99...d7.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    993609639c915d36f2821bad869a17d4.bin

  • Size

    211KB

  • Sample

    240623-de62laxcme

  • MD5

    906d03486d5f3c85e9e3c4ca28096a99

  • SHA1

    e5b51f411f027e53a8a38e423c68c9f3912fbe61

  • SHA256

    58d87b46368bb7bf0181784e1c3adf3e39cf33f563b8ab0d3b44254ed3586f2a

  • SHA512

    af86f22d8e5d24a87ad9767fbb8fc4d6edcb4394beb4c3fbf1e31e8e7ad106c1db7918d7261f7b238ca106701479572ea1be9c46c07f2d5ebcfc760cf5c1cf74

  • SSDEEP

    6144:npbMgiPtNbzs2Dvat8wlEMvu6Ve5UiO2U0rs+1o0CT7g:Jwbzssyt8QTvm5pNUMs+1o0Gg

Score
10/10
amadeysmokeloader94bf1cpub1backdoortrojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

94bf1c

C2

http://185.172.128.116

Attributes
  • install_dir

    263c5c4d73

  • install_file

    Hkbsse.exe

  • strings_key

    70b7c8f26e3bc561578bd326a2eadf5a

  • url_paths

    /Mb3GvQs8/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Targets

    • Target

      fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

    • Size

      424KB

    • MD5

      993609639c915d36f2821bad869a17d4

    • SHA1

      899988523cc0bde90c28889a5e32b273757915ac

    • SHA256

      fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

    • SHA512

      147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32

    • SSDEEP

      6144:6O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHU:axBuBTExX+AoLzTUKdvST/BoKupOjHz

    Score
    10/10
    amadeysmokeloader94bf1cpub1backdoortrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks