General
-
Target
57a0e2fcfe386ee249288200e072f2f809adcc2b475a6104feab914ccbb35bc4
-
Size
1.0MB
-
Sample
220308-vlxvyacchr
-
MD5
778f174d7483a70a1a8e327ae3d4fcb8
-
SHA1
39c283908dd2e16c0952d67ff1e42b003509214e
-
SHA256
57a0e2fcfe386ee249288200e072f2f809adcc2b475a6104feab914ccbb35bc4
-
SHA512
7034d577243a9242473597527e94df4ef950973bb795088bb16e73bf743a8423fc8579047f51c5f5c1c8bea3b36f070f053c19abde744bde0a9819a12dc6c017
Static task
static1
Malware Config
Extracted
smokeloader
2020
http://2.56.59.26/
Extracted
raccoon
1c0fad6805a0f65d7b597130eb9f089ffbe9857d
-
url4cnc
http://194.180.191.241/capibar
http://103.155.93.35/capibar
https://t.me/capibar
Extracted
asyncrat
1.0.7
encoder
89.223.125.80:7655
dev
-
anti_vm
true
-
bsod
true
-
delay
1
-
install
false
-
install_file
doncry.exe
-
install_folder
%AppData%
-
pastebin_config
null
Targets
-
-
Target
57a0e2fcfe386ee249288200e072f2f809adcc2b475a6104feab914ccbb35bc4
-
Size
1.0MB
-
MD5
778f174d7483a70a1a8e327ae3d4fcb8
-
SHA1
39c283908dd2e16c0952d67ff1e42b003509214e
-
SHA256
57a0e2fcfe386ee249288200e072f2f809adcc2b475a6104feab914ccbb35bc4
-
SHA512
7034d577243a9242473597527e94df4ef950973bb795088bb16e73bf743a8423fc8579047f51c5f5c1c8bea3b36f070f053c19abde744bde0a9819a12dc6c017
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-