amadey | 58d87b46368bb7bf0181784e1c3adf3e39cf33f563b8ab0d3b44254ed3586f2a

General

Target

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
Size

424KB
MD5

993609639c915d36f2821bad869a17d4
SHA1

899988523cc0bde90c28889a5e32b273757915ac
SHA256

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
SHA512

147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32
SSDEEP

6144:6O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHU:axBuBTExX+AoLzTUKdvST/BoKupOjHz

Score

10^/10

amadey smokeloader 94bf1c pub1 backdoor trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

94bf1c

C2

http://185.172.128.116

Attributes

install_dir
263c5c4d73
install_file
Hkbsse.exe
strings_key
70b7c8f26e3bc561578bd326a2eadf5a
url_paths
/Mb3GvQs8/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

Hkbsse.exe1.exe

pid process

1676 Hkbsse.exe
2764 1.exe
Loads dropped DLL 3 IoCs

Processes:

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exeHkbsse.exe

pid process

2440 fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
1676 Hkbsse.exe
1676 Hkbsse.exe
Drops file in Windows directory 1 IoCs

Processes:

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

pid process

2440 fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

pid	process
1676	Hkbsse.exe
2764	1.exe

pid	process
2440	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
1676	Hkbsse.exe
1676	Hkbsse.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

pid	process
2440	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exeHkbsse.exe

description	pid	process	target process
PID 2440 wrote to memory of 1676	2440	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe	Hkbsse.exe
PID 2440 wrote to memory of 1676	2440	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe	Hkbsse.exe
PID 2440 wrote to memory of 1676	2440	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe	Hkbsse.exe
PID 2440 wrote to memory of 1676	2440	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe	Hkbsse.exe
PID 1676 wrote to memory of 2764	1676	Hkbsse.exe	1.exe
PID 1676 wrote to memory of 2764	1676	Hkbsse.exe	1.exe
PID 1676 wrote to memory of 2764	1676	Hkbsse.exe	1.exe
PID 1676 wrote to memory of 2764	1676	Hkbsse.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\1000013001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\1.exe"
3⤵
- Executes dropped EXE
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000013001\1.exe

Filesize
224KB

MD5
b96f0135250aab5a530906d079b178e1

SHA1
0247f3518116f23386796fc14991825dddfe1db8

SHA256
004eeca29e9a5bf7e40352873677e4a816e4efea504d96a3c308711fc5ada749

SHA512
244f56d2afd174f7f4e6430fcaa72d973b849a966d5df398d9a4120179dea9710689ed6d62a67e6adf4649a62cdec74ccd42de7e2f67e697ee3d1b50519fc4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\816782303773

Filesize
52KB

MD5
93267bfc9e393cc2b6ef8b44f08fff3f

SHA1
62e479d0e0430414ba15ec13cb379b862e7be52f

SHA256
795273e7bfa023fe58c5fb21bfcee31312c2457dac0fa3edac30a963de1d701c

SHA512
a32d30131624050b306fc15281185d98d9c203fdbf757069343afa84baec07d06f961245d28b0d6c1284f6dd1ba375f3b85c9ee9dc9e418a0fbcde01320c5a65

Download Submit
\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

Filesize
424KB

MD5
993609639c915d36f2821bad869a17d4

SHA1
899988523cc0bde90c28889a5e32b273757915ac

SHA256
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

SHA512
147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32

Download Submit
memory/2440-1-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2764-39-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/2764-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2764-40-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/2764-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2764-41-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads