General

  • Target

    26f4bb629b1edcf4164fe8dbea1fb6c9ee2c7f0ef4cb2febd8a38fc5205fb278

  • Size

    352KB

  • Sample

    230415-ttf2qaeg47

  • MD5

    cf7534f90446600755811c889eb30fb8

  • SHA1

    db19771e20ceaa9c07f14358cbaa7b3af4563591

  • SHA256

    26f4bb629b1edcf4164fe8dbea1fb6c9ee2c7f0ef4cb2febd8a38fc5205fb278

  • SHA512

    bf2b1079e94d8e64c3a2a366d256e6da7ec7348720884b3dfd8cc3ed0072eded868ae685e81b01cd29fbd8d3ab96b318d17ec41300e0c598d9680cd17356e312

  • SSDEEP

    3072:WBX5CuZY4eXCSieZSlZ+cU2odYzr6dB6a1eDq+hbWerOr6NYz2/UkNB5cF2l+OV9:aX644N4ljASDrh6C4z28H8we4

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      26f4bb629b1edcf4164fe8dbea1fb6c9ee2c7f0ef4cb2febd8a38fc5205fb278

    • Size

      352KB

    • MD5

      cf7534f90446600755811c889eb30fb8

    • SHA1

      db19771e20ceaa9c07f14358cbaa7b3af4563591

    • SHA256

      26f4bb629b1edcf4164fe8dbea1fb6c9ee2c7f0ef4cb2febd8a38fc5205fb278

    • SHA512

      bf2b1079e94d8e64c3a2a366d256e6da7ec7348720884b3dfd8cc3ed0072eded868ae685e81b01cd29fbd8d3ab96b318d17ec41300e0c598d9680cd17356e312

    • SSDEEP

      3072:WBX5CuZY4eXCSieZSlZ+cU2odYzr6dB6a1eDq+hbWerOr6NYz2/UkNB5cF2l+OV9:aX644N4ljASDrh6C4z28H8we4

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks