General
-
Target
1b94e6504da7365a7ac9e5f1c37ea714.exe
-
Size
164KB
-
Sample
230715-ay2z7sge66
-
MD5
1b94e6504da7365a7ac9e5f1c37ea714
-
SHA1
b2c784470f5400680f275943aacfcbef6cda5c88
-
SHA256
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
-
SHA512
6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
-
SSDEEP
3072:sSGL9TvjYP99HQjQQeTXE61nB1KpyehJqCFQUDjp5AJ:IL9jjYlaQ9E6B2yeHPOJ
Static task
static1
Behavioral task
behavioral1
Sample
1b94e6504da7365a7ac9e5f1c37ea714.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
1b94e6504da7365a7ac9e5f1c37ea714.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
lumma
gstatic-node.io
Targets
-
-
Target
1b94e6504da7365a7ac9e5f1c37ea714.exe
-
Size
164KB
-
MD5
1b94e6504da7365a7ac9e5f1c37ea714
-
SHA1
b2c784470f5400680f275943aacfcbef6cda5c88
-
SHA256
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
-
SHA512
6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
-
SSDEEP
3072:sSGL9TvjYP99HQjQQeTXE61nB1KpyehJqCFQUDjp5AJ:IL9jjYlaQ9E6B2yeHPOJ
-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Renames multiple (315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-