Overview

overview

10

Static

static

3

NEAS.a75e3...JC.exe

windows7-x64

10

NEAS.a75e3...JC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe

  • Size

    3.4MB

  • Sample

    231026-x4l79seh8s

  • MD5

    8b6693a9fd8f3a9ca63e933c7e1284bc

  • SHA1

    94fe1a59213d6cb266e5e6b8761b9b7a45512e1f

  • SHA256

    a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

  • SHA512

    882ffd091cae2a658cb5b992a3c3c8e06519bedcee1ed629b4d933bfbea2e32531e04519ca76f450a4a014bf851360cb56d72c7bd2c13907c308b26fa0a0a2e9

  • SSDEEP

    49152:Q5qWhABbYQFw/3MywBAfm079cyxuc5BhBKiJ+av9kgzr0dt1cOZaX:ZWhEywBgm0OQ5BhkivHr0bps

Score
10/10
ammyyadminflawedammyyrhadamanthyssmokeloaderbackdoorbootkitcollectiondiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/
rc4.i32
rc4.i32

Targets

    • Target

      NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe

    • Size

      3.4MB

    • MD5

      8b6693a9fd8f3a9ca63e933c7e1284bc

    • SHA1

      94fe1a59213d6cb266e5e6b8761b9b7a45512e1f

    • SHA256

      a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

    • SHA512

      882ffd091cae2a658cb5b992a3c3c8e06519bedcee1ed629b4d933bfbea2e32531e04519ca76f450a4a014bf851360cb56d72c7bd2c13907c308b26fa0a0a2e9

    • SSDEEP

      49152:Q5qWhABbYQFw/3MywBAfm079cyxuc5BhBKiJ+av9kgzr0dt1cOZaX:ZWhEywBgm0OQ5BhkivHr0bps

    Score
    10/10
    ammyyadminflawedammyyrhadamanthyssmokeloaderbackdoorbootkitcollectiondiscoverypersistenceratspywarestealertrojan

    • Ammyy Admin

      Remote admin tool with various capabilities.

      ratammyyadmin

    • AmmyyAdmin payload

    • Detect rhadamanthys stealer shellcode

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

      trojanflawedammyy

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks