General

  • Target

    a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426

  • Size

    351KB

  • Sample

    230415-e14c9sda45

  • MD5

    ba811b8357bf79af703ed5a7c50f44e4

  • SHA1

    1fbfa51ce0370b13a20d7b5c35f938a6b925da87

  • SHA256

    a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426

  • SHA512

    7b4997e42325308c81a5049a10a5aecde6455a11aee8224c05d03bdc0bf1436b3b99da3ff7df9e4b12dfc338735c45135e91b276a1b382f009b74c5b9a23c90e

  • SSDEEP

    3072:caNCAkzztSfIBIOCkflzgG04b8chS66O7NPdrbuqx0w1AXqTHrZ9TwPOrK/42SvQ:XN++SZCcn04k+II0wkqTLZpXTi

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426

    • Size

      351KB

    • MD5

      ba811b8357bf79af703ed5a7c50f44e4

    • SHA1

      1fbfa51ce0370b13a20d7b5c35f938a6b925da87

    • SHA256

      a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426

    • SHA512

      7b4997e42325308c81a5049a10a5aecde6455a11aee8224c05d03bdc0bf1436b3b99da3ff7df9e4b12dfc338735c45135e91b276a1b382f009b74c5b9a23c90e

    • SSDEEP

      3072:caNCAkzztSfIBIOCkflzgG04b8chS66O7NPdrbuqx0w1AXqTHrZ9TwPOrK/42SvQ:XN++SZCcn04k+II0wkqTLZpXTi

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks