General

  • Target

    5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603

  • Size

    351KB

  • Sample

    230415-bp88laeb21

  • MD5

    125bd43136a2cd9a67bc303038d67c13

  • SHA1

    92a33b34af7a7d012120275cc4ce265e47984e04

  • SHA256

    5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603

  • SHA512

    dc747b3773892c33d9c89f0a1968e1642483b7155b385edb77e92a149d96ffdb1bc9c2c2919c1bba2de75f3eedc21dfa9037198681f9cab34e3c6453c2499686

  • SSDEEP

    3072:ufapCAa/zybPg1w0yOBg+c11Nc3tdZDKTJDfbudGAg7lGsQOdHNqhiUPI4pMsJcP:PpIyjKw8Vc1e64MkzwNqAUN9XhWOTi

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603

    • Size

      351KB

    • MD5

      125bd43136a2cd9a67bc303038d67c13

    • SHA1

      92a33b34af7a7d012120275cc4ce265e47984e04

    • SHA256

      5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603

    • SHA512

      dc747b3773892c33d9c89f0a1968e1642483b7155b385edb77e92a149d96ffdb1bc9c2c2919c1bba2de75f3eedc21dfa9037198681f9cab34e3c6453c2499686

    • SSDEEP

      3072:ufapCAa/zybPg1w0yOBg+c11Nc3tdZDKTJDfbudGAg7lGsQOdHNqhiUPI4pMsJcP:PpIyjKw8Vc1e64MkzwNqAUN9XhWOTi

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks