netsupport

General

Target

0ce31a8771a2ff55b091199200de4b84544c8c99656330dca6ec584e466671e1
Size

289KB
Sample

220912-e28dlscfa8
MD5

de0d228b8d44c6fc7548f2895bcae6c4
SHA1

82d664efd93743f56f8987d31ca5ecb30c8794e2
SHA256

0ce31a8771a2ff55b091199200de4b84544c8c99656330dca6ec584e466671e1
SHA512

24c94385ced48da52f2dc4d17b20a48875ef779124810d8cd890d65200cd3235a1bd44c4140f50addb65d8d608f9b0898ab8bdb8baf7981f742ffa84922f42bf
SSDEEP

6144:D+MqIjiIWGy9QCaz0CfhYbtSz/5B/eNkUzewhE:aksVmCaz0CfhwgzUZ

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://microsoftdownload.ddns.net:8808/downloader/WinSecurityUpdate

Extracted

Family

raccoon

Botnet

567d5bff28c2a18132d2f88511f07435

C2

http://116.203.167.5/

http://195.201.248.58/

rc4.plain

Extracted

Family

quasar

Version

2.7.0.0

Botnet

2CCA

C2

thisisfakeih2d.ddns.net:4545

Mutex

kLxNe0gZ4GUsxKE0Oe

Attributes

encryption_key
7RyRUg3bJZBIQJhXL8R5
install_name
face.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client

Targets

- Target
  
  0ce31a8771a2ff55b091199200de4b84544c8c99656330dca6ec584e466671e1
- Size
  
  289KB
- MD5
  
  de0d228b8d44c6fc7548f2895bcae6c4
- SHA1
  
  82d664efd93743f56f8987d31ca5ecb30c8794e2
- SHA256
  
  0ce31a8771a2ff55b091199200de4b84544c8c99656330dca6ec584e466671e1
- SHA512
  
  24c94385ced48da52f2dc4d17b20a48875ef779124810d8cd890d65200cd3235a1bd44c4140f50addb65d8d608f9b0898ab8bdb8baf7981f742ffa84922f42bf
- SSDEEP
  
  6144:D+MqIjiIWGy9QCaz0CfhYbtSz/5B/eNkUzewhE:aksVmCaz0CfhwgzUZ
Score

10^/10

netsupport quasar raccoon smokeloader 2cca 567d5bff28c2a18132d2f88511f07435 backdoor discovery persistence rat spyware stealer trojan
- Detects Smokeloader packer
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1