General

  • Target

    997fddbb5051c6b88bd29f1c7ef4bbc4edfffd3aa9c74a32916f475639fa7280

  • Size

    352KB

  • Sample

    230418-lhxw4aaf56

  • MD5

    2d9f20d3e23d07acbe602c2eda82fd4a

  • SHA1

    58eb86ffe24ff88038fd28dccb3eceb2731129a0

  • SHA256

    997fddbb5051c6b88bd29f1c7ef4bbc4edfffd3aa9c74a32916f475639fa7280

  • SHA512

    21f556b9f507161d96895a36655b63a10e2ae8c9e35d83f3136e99d7bedd9c54de3bd50af099e65a0110af78e5e29754d3db0b75de1269df74b0e0ec514c520d

  • SSDEEP

    3072:K8S2JV60FoyP8vKOxhGlHrQrG0c5YRTDM0Ask46nviA7clCywtRh92ZmXv+QoB5J:DR0y0iOkWrVAL3nv1mk+QzMYWCn2y

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

rhadamanthys

C2

http://179.43.142.201/img/favicon.png

Targets

    • Target

      997fddbb5051c6b88bd29f1c7ef4bbc4edfffd3aa9c74a32916f475639fa7280

    • Size

      352KB

    • MD5

      2d9f20d3e23d07acbe602c2eda82fd4a

    • SHA1

      58eb86ffe24ff88038fd28dccb3eceb2731129a0

    • SHA256

      997fddbb5051c6b88bd29f1c7ef4bbc4edfffd3aa9c74a32916f475639fa7280

    • SHA512

      21f556b9f507161d96895a36655b63a10e2ae8c9e35d83f3136e99d7bedd9c54de3bd50af099e65a0110af78e5e29754d3db0b75de1269df74b0e0ec514c520d

    • SSDEEP

      3072:K8S2JV60FoyP8vKOxhGlHrQrG0c5YRTDM0Ask46nviA7clCywtRh92ZmXv+QoB5J:DR0y0iOkWrVAL3nv1mk+QzMYWCn2y

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

MITRE ATT&CK Enterprise v6

Tasks