General
-
Target
5ec4abfb8b8dcc8334e19d90b7e2aafaee85e2847369790a23466bcd07c7772b
-
Size
191KB
-
Sample
211110-pgdnlshab5
-
MD5
1c160a3e0e3f3ab11d9202129fe983b8
-
SHA1
605bff3300383f2654a1dd6681e7377e6fb1aca4
-
SHA256
5ec4abfb8b8dcc8334e19d90b7e2aafaee85e2847369790a23466bcd07c7772b
-
SHA512
b6d0441c6f96eeeee07c4d6e5d915c0b5da6d48b916cf925bfeaa94bf8fd4f8b839f0407d3af1d48ad15e4db4b7e0ff974e8db3a58b9ee0876d30fed39b508d3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Extracted
raccoon
1.8.3-hotfix
fcdc156d3872c18d25e3ee45499599b45e492a67
-
url4cnc
http://178.23.190.57/rino115sipsip
http://91.219.236.162/rino115sipsip
http://185.163.47.176/rino115sipsip
http://193.38.54.238/rino115sipsip
http://74.119.192.122/rino115sipsip
http://91.219.236.240/rino115sipsip
https://t.me/rino115sipsip
Targets
-
-
Target
5ec4abfb8b8dcc8334e19d90b7e2aafaee85e2847369790a23466bcd07c7772b
-
Size
191KB
-
MD5
1c160a3e0e3f3ab11d9202129fe983b8
-
SHA1
605bff3300383f2654a1dd6681e7377e6fb1aca4
-
SHA256
5ec4abfb8b8dcc8334e19d90b7e2aafaee85e2847369790a23466bcd07c7772b
-
SHA512
b6d0441c6f96eeeee07c4d6e5d915c0b5da6d48b916cf925bfeaa94bf8fd4f8b839f0407d3af1d48ad15e4db4b7e0ff974e8db3a58b9ee0876d30fed39b508d3
Score10/10-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
-
Sets DLL path for service in the registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-