General

  • Target

    e16d06c2dd0bdb291d6c9c68aef2989185686a6f53016df188c251ddcd81e9e4

  • Size

    347KB

  • Sample

    230416-hfeqyshc75

  • MD5

    2c32976ff43f7f87096e1c740a855808

  • SHA1

    a307b9e96873d786a44216475aadad33790a13fd

  • SHA256

    e16d06c2dd0bdb291d6c9c68aef2989185686a6f53016df188c251ddcd81e9e4

  • SHA512

    3aef7f8baf1f2b1ef826821ec77272ff79b60d55b1042470559da9f825b94c0c9de4524797dea87d01a5de24c1ed0499ba7b2c9c27dfdcd66217dbe9ada3875c

  • SSDEEP

    6144:+t/6WkcDc8qGzOM84WGmEzJL7U9c5+61qde:+tSWDvqGzOR4WEzZ7U/WS

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      e16d06c2dd0bdb291d6c9c68aef2989185686a6f53016df188c251ddcd81e9e4

    • Size

      347KB

    • MD5

      2c32976ff43f7f87096e1c740a855808

    • SHA1

      a307b9e96873d786a44216475aadad33790a13fd

    • SHA256

      e16d06c2dd0bdb291d6c9c68aef2989185686a6f53016df188c251ddcd81e9e4

    • SHA512

      3aef7f8baf1f2b1ef826821ec77272ff79b60d55b1042470559da9f825b94c0c9de4524797dea87d01a5de24c1ed0499ba7b2c9c27dfdcd66217dbe9ada3875c

    • SSDEEP

      6144:+t/6WkcDc8qGzOM84WGmEzJL7U9c5+61qde:+tSWDvqGzOR4WEzZ7U/WS

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks