General

  • Target

    a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

  • Size

    3.4MB

  • Sample

    231025-y93b4sga8s

  • MD5

    8b6693a9fd8f3a9ca63e933c7e1284bc

  • SHA1

    94fe1a59213d6cb266e5e6b8761b9b7a45512e1f

  • SHA256

    a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

  • SHA512

    882ffd091cae2a658cb5b992a3c3c8e06519bedcee1ed629b4d933bfbea2e32531e04519ca76f450a4a014bf851360cb56d72c7bd2c13907c308b26fa0a0a2e9

  • SSDEEP

    49152:Q5qWhABbYQFw/3MywBAfm079cyxuc5BhBKiJ+av9kgzr0dt1cOZaX:ZWhEywBgm0OQ5BhkivHr0bps

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32
rc4.i32

Extracted

Family

stealc

rc4.plain

Targets

    • Target

      a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

    • Size

      3.4MB

    • MD5

      8b6693a9fd8f3a9ca63e933c7e1284bc

    • SHA1

      94fe1a59213d6cb266e5e6b8761b9b7a45512e1f

    • SHA256

      a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

    • SHA512

      882ffd091cae2a658cb5b992a3c3c8e06519bedcee1ed629b4d933bfbea2e32531e04519ca76f450a4a014bf851360cb56d72c7bd2c13907c308b26fa0a0a2e9

    • SSDEEP

      49152:Q5qWhABbYQFw/3MywBAfm079cyxuc5BhBKiJ+av9kgzr0dt1cOZaX:ZWhEywBgm0OQ5BhkivHr0bps

    • Ammyy Admin

      Remote admin tool with various capabilities.

    • AmmyyAdmin payload

    • Detect rhadamanthys stealer shellcode

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks