General

  • Target

    4a597691ba57ab7af0f8f83514707efe9e1cdc1f7c9d50e99b8e3a83cd9bafda

  • Size

    352KB

  • Sample

    230415-m9v29adh57

  • MD5

    50de4ca0dd1db8ef6d1583c82a7dbe9c

  • SHA1

    ccd35470b070888c787296b507d4a53aad34ea22

  • SHA256

    4a597691ba57ab7af0f8f83514707efe9e1cdc1f7c9d50e99b8e3a83cd9bafda

  • SHA512

    f41681ae87e81fd9694abc37d94c73d3fb8976cf708c08166158a62a99fbd98c83fd9ada15b65a57e701892f043a5804fb4c4f44f42b7321f3685d3c422c8894

  • SSDEEP

    6144:hW2G250BMJqUa9LPvSvZjoooS0eR0dciKwe4:hVb0BMJq39LPvsuDDTKt4

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      4a597691ba57ab7af0f8f83514707efe9e1cdc1f7c9d50e99b8e3a83cd9bafda

    • Size

      352KB

    • MD5

      50de4ca0dd1db8ef6d1583c82a7dbe9c

    • SHA1

      ccd35470b070888c787296b507d4a53aad34ea22

    • SHA256

      4a597691ba57ab7af0f8f83514707efe9e1cdc1f7c9d50e99b8e3a83cd9bafda

    • SHA512

      f41681ae87e81fd9694abc37d94c73d3fb8976cf708c08166158a62a99fbd98c83fd9ada15b65a57e701892f043a5804fb4c4f44f42b7321f3685d3c422c8894

    • SSDEEP

      6144:hW2G250BMJqUa9LPvSvZjoooS0eR0dciKwe4:hVb0BMJq39LPvsuDDTKt4

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks