General

  • Target

    idjvgwd.bin.zip

  • Size

    172KB

  • Sample

    210224-3mvdd59de6

  • MD5

    097915463dcf192fdbca34df7a5441d5

  • SHA1

    9222ed80cc82240b45616f259408e671d7fd9398

  • SHA256

    069b72f63213700ec54cced47b46ae6db1634f807ef2caeb1b2d7b2932708857

  • SHA512

    f4e8f5ad108018aca6cdeed729e87de742e8acc9d681be1821b46781eef7a429c85829ceff09786493cd5611ca4b9cd52caa7cc2b76f63ca5f520e79aa384db3

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab

Attributes
  • url4cnc

    https://telete.in/jagressor_kz

rc4.plain
rc4.plain

Targets

    • Target

      idjvgwd.bin

    • Size

      1.2MB

    • MD5

      ea0e8e6b849a09e27aed632bda488d8c

    • SHA1

      de4a5e2aa40a3593090247d14cd5d01f1ae30450

    • SHA256

      b10cba4d61edc00dbf593421ccf9b3eafd5e4a50d8049f6a36030a398da01e15

    • SHA512

      acbbe334f8e0d9e2a7054582699d8aa40d61f877d49b3b37875182970e641b4287f020dafb2f8f46576fec6616800be3e7706bbccb4d43b3b74f468530ae49bd

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Tasks