General
-
Target
0528e3189b396370adac423e7ca81f07f3157895b6ffedd867eda41a27b25156
-
Size
248KB
-
Sample
211204-h994ysdde7
-
MD5
dff9bdcad727d580601e4fd78165f5ae
-
SHA1
b771bc3e80a7b333d5c78620e35bad77e6b38ce3
-
SHA256
0528e3189b396370adac423e7ca81f07f3157895b6ffedd867eda41a27b25156
-
SHA512
979ccb4212ddca44500db5e50b1949f611ea6214864642262364757bed7324272c4b5766167c42424a500333e50bf1207ecde5c55838aa3c74d6262b168ab7be
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
049dc5184bb65eb56e4e860bf61427e2a0fcba1e
-
url4cnc
http://185.225.19.18/duglassa1
http://91.219.237.227/duglassa1
https://t.me/duglassa1
Extracted
raccoon
1.8.3-hotfix
b620be4c85b4051a92040003edbc322be4eb082d
-
url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Targets
-
-
Target
0528e3189b396370adac423e7ca81f07f3157895b6ffedd867eda41a27b25156
-
Size
248KB
-
MD5
dff9bdcad727d580601e4fd78165f5ae
-
SHA1
b771bc3e80a7b333d5c78620e35bad77e6b38ce3
-
SHA256
0528e3189b396370adac423e7ca81f07f3157895b6ffedd867eda41a27b25156
-
SHA512
979ccb4212ddca44500db5e50b1949f611ea6214864642262364757bed7324272c4b5766167c42424a500333e50bf1207ecde5c55838aa3c74d6262b168ab7be
Score10/10-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-