General

  • Target

    15015df0f2162b04aa3ec51ba5564ded4798868fe4560128efab1a816449b306

  • Size

    350KB

  • Sample

    230415-dk6ysacg97

  • MD5

    c95c0e49090ef50b2756687ba45466d4

  • SHA1

    d233cba6b0d12aa2a1fc0dae01d312c03746ebbf

  • SHA256

    15015df0f2162b04aa3ec51ba5564ded4798868fe4560128efab1a816449b306

  • SHA512

    e12edec02fe96a017ef7ec38a7067c66689a738968fac79724388fc46990608f00d67b2974a0030bda5adbcad89dba8fcbd91f76ea3f6d5feb08098f21c76de4

  • SSDEEP

    3072:xMaLCAQ3zCb1gQ2Qfzdgi1DGickrlEPfIyOzbuDtW92SoNIUvSGL4Oy/D2Sv6dz:FLOCpD2at1D2IWDIJI4S4rTi

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      15015df0f2162b04aa3ec51ba5564ded4798868fe4560128efab1a816449b306

    • Size

      350KB

    • MD5

      c95c0e49090ef50b2756687ba45466d4

    • SHA1

      d233cba6b0d12aa2a1fc0dae01d312c03746ebbf

    • SHA256

      15015df0f2162b04aa3ec51ba5564ded4798868fe4560128efab1a816449b306

    • SHA512

      e12edec02fe96a017ef7ec38a7067c66689a738968fac79724388fc46990608f00d67b2974a0030bda5adbcad89dba8fcbd91f76ea3f6d5feb08098f21c76de4

    • SSDEEP

      3072:xMaLCAQ3zCb1gQ2Qfzdgi1DGickrlEPfIyOzbuDtW92SoNIUvSGL4Oy/D2Sv6dz:FLOCpD2at1D2IWDIJI4S4rTi

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks