General
-
Target
638b7341c29c901b02f462bb5fe449e246de3c0b98453a4e6bfc44da442ba8d5
-
Size
191KB
-
Sample
211110-s38yeseecq
-
MD5
1dcf68273681264082f59a9ff0851df1
-
SHA1
d47ac0d1966977c2b3a3154d38638aed5e37d5cd
-
SHA256
638b7341c29c901b02f462bb5fe449e246de3c0b98453a4e6bfc44da442ba8d5
-
SHA512
fadd6c8840496c7e4c243a77c746c0c083f0fc080110607d2b10d6b416608ecd6c117dca57ed1ef60da33a8674de2b471c99131c0af8df4e941eb9a4e8238a3d
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Extracted
raccoon
1.8.3-hotfix
fcdc156d3872c18d25e3ee45499599b45e492a67
-
url4cnc
http://178.23.190.57/rino115sipsip
http://91.219.236.162/rino115sipsip
http://185.163.47.176/rino115sipsip
http://193.38.54.238/rino115sipsip
http://74.119.192.122/rino115sipsip
http://91.219.236.240/rino115sipsip
https://t.me/rino115sipsip
Targets
-
-
Target
638b7341c29c901b02f462bb5fe449e246de3c0b98453a4e6bfc44da442ba8d5
-
Size
191KB
-
MD5
1dcf68273681264082f59a9ff0851df1
-
SHA1
d47ac0d1966977c2b3a3154d38638aed5e37d5cd
-
SHA256
638b7341c29c901b02f462bb5fe449e246de3c0b98453a4e6bfc44da442ba8d5
-
SHA512
fadd6c8840496c7e4c243a77c746c0c083f0fc080110607d2b10d6b416608ecd6c117dca57ed1ef60da33a8674de2b471c99131c0af8df4e941eb9a4e8238a3d
Score10/10-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
-
Sets DLL path for service in the registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-