Extracted

Extracted

• • Target

    0e4bff3364a966619946cab25db13f9cb74ef9f3c83e5cdab09925606cba4e9e

  • Size

    288KB

  • MD5

    a8e3378821eb744f2734cfdfbde16439

  • SHA1

    3ab27ca191ace417328b8b7b0a8f8e76ddab4bcc

  • SHA256

    0e4bff3364a966619946cab25db13f9cb74ef9f3c83e5cdab09925606cba4e9e

  • SHA512

    d18d76f1a944d39734a326e39f8541468414196cd998755c7a11d043ee0eb9899ef535d67e24dff816ef4cc2f0560d8f2de021c7db60d8cfe8411e07854f5df0

  • SSDEEP

    6144:qrNq1E5ucGrO9arccaifBCu88ILHPkjwgGzWDpcK:qcLcGyQrccaifBCu88Izk7DpN

  Score

  10^/10

  netsupportraccoonsmokeloader567d5bff28c2a18132d2f88511f07435backdoorcollectiondiscoveryratspywarestealertrojan

  • Detects Smokeloader packer

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Deletes itself

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1