General
-
Target
tmp
-
Size
50.3MB
-
Sample
230620-xw9ctsdg98
-
MD5
055cd3d8cd94b3ca5093ed3692e6ae40
-
SHA1
1e672ddff4f85c998bdb02bb98bae55b87bc0073
-
SHA256
a3582918024fb85fe4a2eeeaddb5c14b210cb7c90fe7d262cacbec048e6a470f
-
SHA512
d2781867dc1638f1f717a67eb9c99acf8b40915f11513e3bbcad005203a6334e528113f977f6ac7284418f64e669abacc818221b9fe32e357fc5a6680f93152a
-
SSDEEP
1572864:mVOgHnI7e0HIFGmLhTW7mDlQHAxlA4nxt6:SZyo/LAmRgAFy
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
https://sungeomatics.com/css/colors/debug2.ps1
Extracted
smokeloader
pub1
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
tmp
-
Size
50.3MB
-
MD5
055cd3d8cd94b3ca5093ed3692e6ae40
-
SHA1
1e672ddff4f85c998bdb02bb98bae55b87bc0073
-
SHA256
a3582918024fb85fe4a2eeeaddb5c14b210cb7c90fe7d262cacbec048e6a470f
-
SHA512
d2781867dc1638f1f717a67eb9c99acf8b40915f11513e3bbcad005203a6334e528113f977f6ac7284418f64e669abacc818221b9fe32e357fc5a6680f93152a
-
SSDEEP
1572864:mVOgHnI7e0HIFGmLhTW7mDlQHAxlA4nxt6:SZyo/LAmRgAFy
-
Detect rhadamanthys stealer shellcode
-
Glupteba payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-