General

  • Target

    17688f03f125bb494dc7f304b8936221.exe

  • Size

    833KB

  • Sample

    230907-gwfshseh8x

  • MD5

    17688f03f125bb494dc7f304b8936221

  • SHA1

    7fadc66ba11a5b3c4582f4d9b5b245801ccf918a

  • SHA256

    6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

  • SHA512

    1636d32e5a59c5c3577d0dc5ecf7dbccc22cc0ce2087889974903257d500e694d2cee4218c17ddba747c4b59ea4f811889837883b40cd009c1463cdc21f65a06

  • SSDEEP

    12288:Ib/bL1cEYZpFQOT4KpMT+msoH985+3wAFn6DQnbu7L3SpiQXYIOnUfvDrD8FEsim:WzLmQsI85mn6DQDYpmv8FEyuOGLU

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32
rc4.i32

Targets

    • Target

      17688f03f125bb494dc7f304b8936221.exe

    • Size

      833KB

    • MD5

      17688f03f125bb494dc7f304b8936221

    • SHA1

      7fadc66ba11a5b3c4582f4d9b5b245801ccf918a

    • SHA256

      6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

    • SHA512

      1636d32e5a59c5c3577d0dc5ecf7dbccc22cc0ce2087889974903257d500e694d2cee4218c17ddba747c4b59ea4f811889837883b40cd009c1463cdc21f65a06

    • SSDEEP

      12288:Ib/bL1cEYZpFQOT4KpMT+msoH985+3wAFn6DQnbu7L3SpiQXYIOnUfvDrD8FEsim:WzLmQsI85mn6DQDYpmv8FEyuOGLU

    • Ammyy Admin

      Remote admin tool with various capabilities.

    • AmmyyAdmin payload

    • Detect rhadamanthys stealer shellcode

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (313) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (331) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks