General

  • Target

    f25b1dd4bc3b8f899575ff4ae01594385a490a644b51e51c1a8f6685fd167006

  • Size

    349KB

  • Sample

    230414-ym94fabe95

  • MD5

    a5410d051fd7def3f40547de64cc7c62

  • SHA1

    781e8afa8480a343baf9aac9be96b95115f94f72

  • SHA256

    f25b1dd4bc3b8f899575ff4ae01594385a490a644b51e51c1a8f6685fd167006

  • SHA512

    6b96722695ba0f9e212c8653633cad0d6a43b9d2e8bfa36a372fa4675f8f45d92e35b2602442f9d76a5695d6172e4b8c71cbd6c6be9f025596443ef126f645a6

  • SSDEEP

    6144:ap8+xtfctg0v9C6gy5ZMQ764BV52XVBaxi:apDtkq0VC615ZzBVuVN

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      f25b1dd4bc3b8f899575ff4ae01594385a490a644b51e51c1a8f6685fd167006

    • Size

      349KB

    • MD5

      a5410d051fd7def3f40547de64cc7c62

    • SHA1

      781e8afa8480a343baf9aac9be96b95115f94f72

    • SHA256

      f25b1dd4bc3b8f899575ff4ae01594385a490a644b51e51c1a8f6685fd167006

    • SHA512

      6b96722695ba0f9e212c8653633cad0d6a43b9d2e8bfa36a372fa4675f8f45d92e35b2602442f9d76a5695d6172e4b8c71cbd6c6be9f025596443ef126f645a6

    • SSDEEP

      6144:ap8+xtfctg0v9C6gy5ZMQ764BV52XVBaxi:apDtkq0VC615ZzBVuVN

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks