chinese_generic_botnet | ebcecaf7cc142a2954b15d4390e5275aed5a7c8f70a7c777c0288b5f3c2312ac

Sharing

Copy URL

Twitter E-mail

General

Target

e98e80b300af28043252190b020ee173.exe
Size

139KB
Sample

210926-r9bqtsfac6
MD5

e98e80b300af28043252190b020ee173
SHA1

df38365f73543166e8fb859908f0b3dbc9b6e64e
SHA256

ebcecaf7cc142a2954b15d4390e5275aed5a7c8f70a7c777c0288b5f3c2312ac
SHA512

11d40f6529dd546cdf97c73183393418e728a64320cb1345d43056f002e469ab16eae64eb4b628b195234cf07843cb2e7fb659d46598c3de951d73d1b680b762

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

redline

Botnet

installszxc

138.124.186.2:27999

Extracted

Family

redline

Botnet

z0rm1onbuild

45.156.21.209:56326

Extracted

Family

raccoon

Botnet

b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7

Attributes

url4cnc
https://t.me/hcdrom1

rc4.plain

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

Bliss

185.237.98.178:62607

Extracted

Family

redline

Botnet

karma

94.103.9.133:39323

Targets

- Target
  
  e98e80b300af28043252190b020ee173.exe
- Size
  
  139KB
- MD5
  
  e98e80b300af28043252190b020ee173
- SHA1
  
  df38365f73543166e8fb859908f0b3dbc9b6e64e
- SHA256
  
  ebcecaf7cc142a2954b15d4390e5275aed5a7c8f70a7c777c0288b5f3c2312ac
- SHA512
  
  11d40f6529dd546cdf97c73183393418e728a64320cb1345d43056f002e469ab16eae64eb4b628b195234cf07843cb2e7fb659d46598c3de951d73d1b680b762
Score

10^/10

chinese_generic_botnet raccoon redline smokeloader 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7 bliss installszxc karma z0rm1onbuild backdoor botnet discovery evasion infostealer spyware stealer themida trojan persistence
- Generic Chinese Botnet
  A botnet originating from China which is currently unnamed publicly.
  botnet chinese_generic_botnet
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Chinese Botnet Payload
  botnet
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Generic Chinese Botnet

Raccoon

RedLine

RedLine Payload

SmokeLoader

Chinese Botnet Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2