General
-
Target
32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
-
Size
476KB
-
Sample
231012-18ln3sdd3s
-
MD5
76f37b780edf118a0364fab327167a0c
-
SHA1
78dbbff57068378e4709afea5ba35561eb157ef5
-
SHA256
32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e
-
SHA512
f677065ad4a920fbd819dae3eff010f35b794ac3d2f2031acbad8162fa4cb9d398420ba5d665b4260f0a17832d149e617d097be5c4986ea7a31a33fd3878b7b3
-
SSDEEP
12288:y5QaO7SIsbbv4/lDv0zMrcoZPPPKW1ICFBCGw:ravv4tDKMrVPKsIkCGw
Malware Config
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Targets
-
-
Target
32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
-
Size
476KB
-
MD5
76f37b780edf118a0364fab327167a0c
-
SHA1
78dbbff57068378e4709afea5ba35561eb157ef5
-
SHA256
32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e
-
SHA512
f677065ad4a920fbd819dae3eff010f35b794ac3d2f2031acbad8162fa4cb9d398420ba5d665b4260f0a17832d149e617d097be5c4986ea7a31a33fd3878b7b3
-
SSDEEP
12288:y5QaO7SIsbbv4/lDv0zMrcoZPPPKW1ICFBCGw:ravv4tDKMrVPKsIkCGw
Score10/10-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload
-
Detect rhadamanthys stealer shellcode
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-