General

  • Target

    7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305

  • Size

    351KB

  • Sample

    230415-kbdn7sfa71

  • MD5

    078c0fbc4b1994d09144646f158f3467

  • SHA1

    b57027461040bc08e1e8d0f580cc1f9511027049

  • SHA256

    7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305

  • SHA512

    55fea4f83f0c4f4718a8686ec61b9337272cf7afcd9246da31166dd89a0f729be0a3d798689776d3cad97486bc6d1f4322a5e1663f0b307dc216c37c71f62f67

  • SSDEEP

    3072:OWC7ygb/zm4/QVsN0CDxgUsaQNcXBdZDaIJLbu2rUtIfW7bzqr/5nq/i72Sv6dN:hYxmM6sNBbsaVJsAJmzqdx7Ti

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305

    • Size

      351KB

    • MD5

      078c0fbc4b1994d09144646f158f3467

    • SHA1

      b57027461040bc08e1e8d0f580cc1f9511027049

    • SHA256

      7f29efcd1a7a9cccf480d76f4f21c797bfc9924593a95d51ac88253f95173305

    • SHA512

      55fea4f83f0c4f4718a8686ec61b9337272cf7afcd9246da31166dd89a0f729be0a3d798689776d3cad97486bc6d1f4322a5e1663f0b307dc216c37c71f62f67

    • SSDEEP

      3072:OWC7ygb/zm4/QVsN0CDxgUsaQNcXBdZDaIJLbu2rUtIfW7bzqr/5nq/i72Sv6dN:hYxmM6sNBbsaVJsAJmzqdx7Ti

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks