General
-
Target
a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207
-
Size
374KB
-
Sample
230715-e26vsagh94
-
MD5
11576ac18b5197c705e4282db22f0295
-
SHA1
2fbc5d63c8de05d5f1102a8066d5b394612128fc
-
SHA256
a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207
-
SHA512
ce194dee6ad0e72e330dbd817c9dc8b93b9e5bc7fac9f3e3d8395268b2f5b9f98de97fa83f864cae4e943f94b2cf7980bd7ad34130e2413e17d2c46937112d65
-
SSDEEP
6144:OHLXQ54uIlhxS4eDVFXbDu9l+9xj6RHARigv:cjQ5NkEhPLir+9wRHqiU
Static task
static1
Behavioral task
behavioral1
Sample
a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207.exe
Resource
win10-20230703-en
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207
-
Size
374KB
-
MD5
11576ac18b5197c705e4282db22f0295
-
SHA1
2fbc5d63c8de05d5f1102a8066d5b394612128fc
-
SHA256
a81c88ad0eb4d2dfa7ea25b0326e1b1b8ffe630791647129f85312aeb50df207
-
SHA512
ce194dee6ad0e72e330dbd817c9dc8b93b9e5bc7fac9f3e3d8395268b2f5b9f98de97fa83f864cae4e943f94b2cf7980bd7ad34130e2413e17d2c46937112d65
-
SSDEEP
6144:OHLXQ54uIlhxS4eDVFXbDu9l+9xj6RHARigv:cjQ5NkEhPLir+9wRHqiU
-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Renames multiple (436) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-