netsupport | 5da3c4a15aa44b90d001fe70ed1d53e9b65e8b5f71ccd312b26c00de3e409bde | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

5da3c4a15aa44b90d001fe70ed1d53e9b65e8b5f71ccd312b26c00de3e409bde
Size

301KB
Sample

220911-q3ch4sfdfn
MD5

aacfd932cf20dcd8ce0c7371efbe24c0
SHA1

7cea35ff71e8a14fa8de374257f6f16ecb08113c
SHA256

5da3c4a15aa44b90d001fe70ed1d53e9b65e8b5f71ccd312b26c00de3e409bde
SHA512

7cfb0a88fa7e30436ad2f3328c8912fdec4744c46b015707c36e892e31a503ac4bec3005ecaf8edb3dde62149680e74f34579303a7be53a58e774a92b3c95a51
SSDEEP

6144:w7yHlMA17vpAbap1PaCICE6nfjCLtR69vuTRdxzV:wCKA5pAbK1PaCIz6nGtMvuFD

Score

10^/10

netsupport raccoon smokeloader 567d5bff28c2a18132d2f88511f07435 backdoor discovery rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

5da3c4a15aa44b90d001fe70ed1d53e9b65e8b5f71ccd312b26c00de3e409bde.exe

Resource

win10v2004-20220812-en

netsupport raccoon smokeloader 567d5bff28c2a18132d2f88511f07435 backdoor discovery rat spyware stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

raccoon

Botnet

567d5bff28c2a18132d2f88511f07435

C2

http://116.203.167.5/

http://195.201.248.58/

rc4.plain

Targets

- Target
  
  5da3c4a15aa44b90d001fe70ed1d53e9b65e8b5f71ccd312b26c00de3e409bde
- Size
  
  301KB
- MD5
  
  aacfd932cf20dcd8ce0c7371efbe24c0
- SHA1
  
  7cea35ff71e8a14fa8de374257f6f16ecb08113c
- SHA256
  
  5da3c4a15aa44b90d001fe70ed1d53e9b65e8b5f71ccd312b26c00de3e409bde
- SHA512
  
  7cfb0a88fa7e30436ad2f3328c8912fdec4744c46b015707c36e892e31a503ac4bec3005ecaf8edb3dde62149680e74f34579303a7be53a58e774a92b3c95a51
- SSDEEP
  
  6144:w7yHlMA17vpAbap1PaCICE6nfjCLtR69vuTRdxzV:wCKA5pAbK1PaCIz6nGtMvuFD
Score

10^/10

netsupport raccoon smokeloader 567d5bff28c2a18132d2f88511f07435 backdoor discovery rat spyware stealer trojan
- Detects Smokeloader packer
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

netsupportraccoonsmokeloader567d5bff28c2a18132d2f88511f07435backdoordiscoveryratspywarestealertrojan

© 2018-2024

Terms | Privacy