General
-
Target
b32f87626a936d0bcd63e951f5e1219433c3b8c20f1ff318a0b6e8fc0b573423
-
Size
191KB
-
Sample
211110-stt3xahch7
-
MD5
ad782752d4a4e88a701048172a309af0
-
SHA1
dccdfea47d9c559d3a2030420a0308349efa49cc
-
SHA256
b32f87626a936d0bcd63e951f5e1219433c3b8c20f1ff318a0b6e8fc0b573423
-
SHA512
fadc46f68563999126403333be2036e8479e80f59c6f843440b3ba8fa20e0baccfe83d0937da185b97465f76893c98ef04da4984ca95de86bea920d8304ca867
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Extracted
raccoon
1.8.3-hotfix
fcdc156d3872c18d25e3ee45499599b45e492a67
-
url4cnc
http://178.23.190.57/rino115sipsip
http://91.219.236.162/rino115sipsip
http://185.163.47.176/rino115sipsip
http://193.38.54.238/rino115sipsip
http://74.119.192.122/rino115sipsip
http://91.219.236.240/rino115sipsip
https://t.me/rino115sipsip
Targets
-
-
Target
b32f87626a936d0bcd63e951f5e1219433c3b8c20f1ff318a0b6e8fc0b573423
-
Size
191KB
-
MD5
ad782752d4a4e88a701048172a309af0
-
SHA1
dccdfea47d9c559d3a2030420a0308349efa49cc
-
SHA256
b32f87626a936d0bcd63e951f5e1219433c3b8c20f1ff318a0b6e8fc0b573423
-
SHA512
fadc46f68563999126403333be2036e8479e80f59c6f843440b3ba8fa20e0baccfe83d0937da185b97465f76893c98ef04da4984ca95de86bea920d8304ca867
Score10/10-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
-
Sets DLL path for service in the registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-