Overview

overview

10

Static

static

E7A7032DDA...14.exe

windows7_x64

10

E7A7032DDA...14.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    E7A7032DDAE1ADFD64C4C378C6E97BE7A2453228C7014.exe

  • Size

    285KB

  • Sample

    220222-2mnrzsgaeq

  • MD5

    8bce39cd73af077e8a24360ad94cd368

  • SHA1

    f761251b872215b0d34b76a53dd6b1452c6ca255

  • SHA256

    e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75

  • SHA512

    5c3d9be970deef5ea27c11758656512b49533cdbaeae432569f442c7f30c4c054c313e283b09aea282de7d93a09af143293592221014784c337626250a7b81a0

Score
10/10
icedidraccoonsmokeloader9185b8c5d1dac158cc47aef92b143671d2c3a9bf1843818144backdoorbankerloaderstealersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

1843818144

C2

grendafolz.com

Extracted

Family

raccoon

Botnet

9185b8c5d1dac158cc47aef92b143671d2c3a9bf

Attributes
  • url4cnc

    http://206.189.100.203/kernelnixbarbos

    http://194.180.191.234/kernelnixbarbos

    http://185.163.204.216/kernelnixbarbos

    http://139.162.157.205/kernelnixbarbos

    https://t.me/kernelnixbarbos

rc4.plain
rc4.plain

Targets

    • Target

      E7A7032DDAE1ADFD64C4C378C6E97BE7A2453228C7014.exe

    • Size

      285KB

    • MD5

      8bce39cd73af077e8a24360ad94cd368

    • SHA1

      f761251b872215b0d34b76a53dd6b1452c6ca255

    • SHA256

      e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75

    • SHA512

      5c3d9be970deef5ea27c11758656512b49533cdbaeae432569f442c7f30c4c054c313e283b09aea282de7d93a09af143293592221014784c337626250a7b81a0

    Score
    10/10
    icedidsmokeloader1843818144backdoorbankerloadersuricatatrojanraccoon9185b8c5d1dac158cc47aef92b143671d2c3a9bfstealer

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata

    • suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

      suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

      suricata

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata

    • IcedID First Stage Loader

      loader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks