General
-
Target
9705b269886bfc7a262c12486f5e6802.exe
-
Size
181KB
-
Sample
231204-b2dmfsgd74
-
MD5
9705b269886bfc7a262c12486f5e6802
-
SHA1
a9cb5931ddcc0cf8e5b886270bffdd14472e5248
-
SHA256
ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb
-
SHA512
5b23708a0f57a4e05533593f9fa9a85bc5f5201c98d6c6684151f33c764710f1988f7029af79e2c7bf45a1513495567e48f0d18b9efd534d84fdab9d1603cde6
-
SSDEEP
3072:OBfsGpcW25Gp+VIVnZqJQ1m9yGV0iT1gOcKFxq25KnB+WWxm78w2AAAvSFfG:SsGckEKnZU2GVBgWKB+hgv2A+G
Static task
static1
Behavioral task
behavioral1
Sample
9705b269886bfc7a262c12486f5e6802.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
9705b269886bfc7a262c12486f5e6802.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
smokeloader
6699
Extracted
smokeloader
2022
http://atillapro.com/
https://atillapro.com/
Extracted
remcos
RemoteHost
185.157.162.241:1303
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NT0JNG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
9705b269886bfc7a262c12486f5e6802.exe
-
Size
181KB
-
MD5
9705b269886bfc7a262c12486f5e6802
-
SHA1
a9cb5931ddcc0cf8e5b886270bffdd14472e5248
-
SHA256
ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb
-
SHA512
5b23708a0f57a4e05533593f9fa9a85bc5f5201c98d6c6684151f33c764710f1988f7029af79e2c7bf45a1513495567e48f0d18b9efd534d84fdab9d1603cde6
-
SSDEEP
3072:OBfsGpcW25Gp+VIVnZqJQ1m9yGV0iT1gOcKFxq25KnB+WWxm78w2AAAvSFfG:SsGckEKnZU2GVBgWKB+hgv2A+G
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-