General
-
Target
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e.exe
-
Size
9KB
-
Sample
210322-ebnlm3ltze
-
MD5
2151c4b970eff0071948dbbc19066aa4
-
SHA1
6044352fbee4746c6dd4d53950fb8070cd3ae309
-
SHA256
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
-
SHA512
e09f6beae51995324edfd09f830df63666e44809c5f02dba5ae0c82cebdbc49029832cdd4443785d0aaffc094fb3f52613258292459406e68cc8a2df2f007a85
Malware Config
Extracted
raccoon
c46f13f8aadc028907d65c627fd9163161661f6c
-
url4cnc
https://telete.in/capibar
Extracted
raccoon
2ce901d964b370c5ccda7e4d68354ba040db8218
-
url4cnc
https://telete.in/tomarsjsmith3
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Targets
-
-
Target
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e.exe
-
Size
9KB
-
MD5
2151c4b970eff0071948dbbc19066aa4
-
SHA1
6044352fbee4746c6dd4d53950fb8070cd3ae309
-
SHA256
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
-
SHA512
e09f6beae51995324edfd09f830df63666e44809c5f02dba5ae0c82cebdbc49029832cdd4443785d0aaffc094fb3f52613258292459406e68cc8a2df2f007a85
Score10/10-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Executes dropped EXE
-
Sets service image path in registry
-
Drops startup file
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-