General
-
Target
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
-
Size
3.4MB
-
Sample
231025-y93b4sga8s
-
MD5
8b6693a9fd8f3a9ca63e933c7e1284bc
-
SHA1
94fe1a59213d6cb266e5e6b8761b9b7a45512e1f
-
SHA256
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
-
SHA512
882ffd091cae2a658cb5b992a3c3c8e06519bedcee1ed629b4d933bfbea2e32531e04519ca76f450a4a014bf851360cb56d72c7bd2c13907c308b26fa0a0a2e9
-
SSDEEP
49152:Q5qWhABbYQFw/3MywBAfm079cyxuc5BhBKiJ+av9kgzr0dt1cOZaX:ZWhEywBgm0OQ5BhkivHr0bps
Static task
static1
Behavioral task
behavioral1
Sample
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Extracted
stealc
Targets
-
-
Target
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
-
Size
3.4MB
-
MD5
8b6693a9fd8f3a9ca63e933c7e1284bc
-
SHA1
94fe1a59213d6cb266e5e6b8761b9b7a45512e1f
-
SHA256
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
-
SHA512
882ffd091cae2a658cb5b992a3c3c8e06519bedcee1ed629b4d933bfbea2e32531e04519ca76f450a4a014bf851360cb56d72c7bd2c13907c308b26fa0a0a2e9
-
SSDEEP
49152:Q5qWhABbYQFw/3MywBAfm079cyxuc5BhBKiJ+av9kgzr0dt1cOZaX:ZWhEywBgm0OQ5BhkivHr0bps
-
AmmyyAdmin payload
-
Detect rhadamanthys stealer shellcode
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-