General

  • Target

    7b493475f43f48d1b63e665c34009f45034865c49174e4a8a2e64c8ebc96696b

  • Size

    318KB

  • Sample

    211207-gasj7agacp

  • MD5

    5264852491b2f2bc2c63ff92b991f353

  • SHA1

    460bae403e4cfba08f82094fb9375a82252ccd44

  • SHA256

    7b493475f43f48d1b63e665c34009f45034865c49174e4a8a2e64c8ebc96696b

  • SHA512

    80bb8678abfd9b5a1c083df8c37635cad46964329d8a370326ccaa12c3be99cacea746700ecd061df57be9fc3af3a51fb9dc3ca84d5a63ea271e40960d53e206

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32
rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes
  • url4cnc

    http://91.219.236.27/capibar

    http://94.158.245.167/capibar

    http://185.163.204.216/capibar

    http://185.225.19.238/capibar

    http://185.163.204.218/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

amadey

Version

2.86

C2

185.215.113.35/d2VxjasuwS/index.php

Targets

    • Target

      7b493475f43f48d1b63e665c34009f45034865c49174e4a8a2e64c8ebc96696b

    • Size

      318KB

    • MD5

      5264852491b2f2bc2c63ff92b991f353

    • SHA1

      460bae403e4cfba08f82094fb9375a82252ccd44

    • SHA256

      7b493475f43f48d1b63e665c34009f45034865c49174e4a8a2e64c8ebc96696b

    • SHA512

      80bb8678abfd9b5a1c083df8c37635cad46964329d8a370326ccaa12c3be99cacea746700ecd061df57be9fc3af3a51fb9dc3ca84d5a63ea271e40960d53e206

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE Amadey CnC Check-In

      suricata: ET MALWARE Amadey CnC Check-In

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks