General

  • Target

    828bdd40bebbb1ff9d1524b539a9f592619b4be68e65e6c70a0579f364fb9a49

  • Size

    350KB

  • Sample

    230415-kg5d4sfa91

  • MD5

    29899f4bdb072e6b043814e4c2e682bd

  • SHA1

    8324ca39037e58eee12513d20477a00bdb2714c1

  • SHA256

    828bdd40bebbb1ff9d1524b539a9f592619b4be68e65e6c70a0579f364fb9a49

  • SHA512

    55b4b849d7ce42692840ca638f842601b9b23d2bab15f1395414176e4ae0083002d73aad2c291271ff29c64eb094360fdeee62debf7d13ac5976750275b0a6a8

  • SSDEEP

    3072:Dd94UtR6y/CXve1w9z90gNAm2UGgcVZYQOIMrTuYYOUq3pgslTXHJj/xWGmfvIsy:DT4qCfe1EV2uUmuuf3pgsllJD5/taTi

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      828bdd40bebbb1ff9d1524b539a9f592619b4be68e65e6c70a0579f364fb9a49

    • Size

      350KB

    • MD5

      29899f4bdb072e6b043814e4c2e682bd

    • SHA1

      8324ca39037e58eee12513d20477a00bdb2714c1

    • SHA256

      828bdd40bebbb1ff9d1524b539a9f592619b4be68e65e6c70a0579f364fb9a49

    • SHA512

      55b4b849d7ce42692840ca638f842601b9b23d2bab15f1395414176e4ae0083002d73aad2c291271ff29c64eb094360fdeee62debf7d13ac5976750275b0a6a8

    • SSDEEP

      3072:Dd94UtR6y/CXve1w9z90gNAm2UGgcVZYQOIMrTuYYOUq3pgslTXHJj/xWGmfvIsy:DT4qCfe1EV2uUmuuf3pgsllJD5/taTi

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks