Overview

overview

10

Static

static

0418508dcc...f8.exe

windows7_x64

10

0418508dcc...f8.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.zip

  • Size

    160KB

  • Sample

    220222-v9179sbga3

  • MD5

    2c7cc3e7f613dea6a5f835f6698f8615

  • SHA1

    8ffe432e3b65e8b23ba283edae58d1aa15390e57

  • SHA256

    68cfdbb6b156ddb0502ff19fe6d6f5135f13bb8f7f785167c080e3f580d1ad78

  • SHA512

    da2c63d2a5392c2765f1bdbe0469d12682a803910849c8f34eec73e0d21c8bf4993ba4e719c4c0ea6a496e43eb5a251448b2c9a0bd15f5e66d19ff320554bdb6

Score
10/10
icedidraccoonsmokeloader9185b8c5d1dac158cc47aef92b143671d2c3a9bf1843818144backdoorbankercollectiondiscoveryevasionloaderspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://dollybuster.at/upload/

http://spaldingcompanies.com/upload/

http://remik-franchise.ru/upload/

http://fennsports.com/upload/

http://am1420wbec.com/upload/

http://islamic-city.com/upload/

http://egsagl.com/upload/

http://mordo.ru/upload/

http://piratia-life.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

1843818144

C2

grendafolz.com

Extracted

Family

raccoon

Botnet

9185b8c5d1dac158cc47aef92b143671d2c3a9bf

Attributes
  • url4cnc

    http://206.189.100.203/kernelnixbarbos

    http://194.180.191.234/kernelnixbarbos

    http://185.163.204.216/kernelnixbarbos

    http://139.162.157.205/kernelnixbarbos

    https://t.me/kernelnixbarbos

rc4.plain
rc4.plain

Targets

    • Target

      0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8

    • Size

      267KB

    • MD5

      5478d0872828e7cc05b8c3d59877de57

    • SHA1

      b8a74db005723b3431825d188ea7a03c5f7116c9

    • SHA256

      0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8

    • SHA512

      c09553be0d69e75bed30c572a98dc86c5373c2adbedb7be31d1fc1a45b66020b24830be1bdad077015394d8ddc40c9fdeaa687fb91e000a9764b5f5a0a7c08b2

    Score
    10/10
    icedidsmokeloader1843818144backdoorbankercollectiondiscoveryloaderspywarestealertrojanraccoon9185b8c5d1dac158cc47aef92b143671d2c3a9bfevasion

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • IcedID First Stage Loader

      loader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks