General
-
Target
903ffd9f875c0f7193457a8687fb9038a2222b67dc0c977e863705391e400036
-
Size
392KB
-
Sample
230714-dz2bvach4w
-
MD5
828d63233b6f27532020cee06763eb36
-
SHA1
4c3366d3d30d45834779ab9ec2f9c2ecd69c66da
-
SHA256
903ffd9f875c0f7193457a8687fb9038a2222b67dc0c977e863705391e400036
-
SHA512
4bf9603bf23b2a72c2d14864265af490e8be41755ee4bcc7c427473e6d593de077dc48cdc7d1ed1fd21ae1bce1976346d2ca4ef83a054a7d7813d0cad30c55e6
-
SSDEEP
6144:fLs7YnT/WCw7+6NsuyWsybz4NYwK3z6sraIEuWNifsD7uvsEz1tTqFoI7aa:fwEnbjwyVuyW5kNYv3es1WMD0m1tGhb
Static task
static1
Behavioral task
behavioral1
Sample
903ffd9f875c0f7193457a8687fb9038a2222b67dc0c977e863705391e400036.exe
Resource
win10-20230703-en
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
903ffd9f875c0f7193457a8687fb9038a2222b67dc0c977e863705391e400036
-
Size
392KB
-
MD5
828d63233b6f27532020cee06763eb36
-
SHA1
4c3366d3d30d45834779ab9ec2f9c2ecd69c66da
-
SHA256
903ffd9f875c0f7193457a8687fb9038a2222b67dc0c977e863705391e400036
-
SHA512
4bf9603bf23b2a72c2d14864265af490e8be41755ee4bcc7c427473e6d593de077dc48cdc7d1ed1fd21ae1bce1976346d2ca4ef83a054a7d7813d0cad30c55e6
-
SSDEEP
6144:fLs7YnT/WCw7+6NsuyWsybz4NYwK3z6sraIEuWNifsD7uvsEz1tTqFoI7aa:fwEnbjwyVuyW5kNYv3es1WMD0m1tGhb
-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Renames multiple (447) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-