General
-
Target
47dd92fd7ba5da52ed49e46777f231bf6eec4c597adc22ec9aa22f66c64eaec8
-
Size
288KB
-
Sample
220912-dkh7qacec5
-
MD5
04e28ce0a03f38c4fdb9ffd540bae6f7
-
SHA1
d56173639acb5a9b3804dcfe119f1eff2a5cbb3b
-
SHA256
47dd92fd7ba5da52ed49e46777f231bf6eec4c597adc22ec9aa22f66c64eaec8
-
SHA512
22e6d6f75fc78b675d179f2f16b29712597095bfe0c275cbd05f88c80c604167e7cb5bb3a086f5e27de439486f93aaa6bb99d8db60dbb6148935a60db0c92b37
-
SSDEEP
6144:FUmlIGoBiuK/tZ9KKcAShaVWsh7qXWYukF76yl+Hg:FlAa74KcAShYWsh7NOV69A
Static task
static1
Behavioral task
behavioral1
Sample
47dd92fd7ba5da52ed49e46777f231bf6eec4c597adc22ec9aa22f66c64eaec8.exe
Resource
win10-20220812-en
Malware Config
Extracted
http://microsoftdownload.ddns.net:8808/downloader/WinSecurityUpdate
Extracted
raccoon
567d5bff28c2a18132d2f88511f07435
http://116.203.167.5/
http://195.201.248.58/
Targets
-
-
Target
47dd92fd7ba5da52ed49e46777f231bf6eec4c597adc22ec9aa22f66c64eaec8
-
Size
288KB
-
MD5
04e28ce0a03f38c4fdb9ffd540bae6f7
-
SHA1
d56173639acb5a9b3804dcfe119f1eff2a5cbb3b
-
SHA256
47dd92fd7ba5da52ed49e46777f231bf6eec4c597adc22ec9aa22f66c64eaec8
-
SHA512
22e6d6f75fc78b675d179f2f16b29712597095bfe0c275cbd05f88c80c604167e7cb5bb3a086f5e27de439486f93aaa6bb99d8db60dbb6148935a60db0c92b37
-
SSDEEP
6144:FUmlIGoBiuK/tZ9KKcAShaVWsh7qXWYukF76yl+Hg:FlAa74KcAShYWsh7NOV69A
-
Detects Smokeloader packer
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-