General

  • Target

    b62c189bc134eee76e393a4c6a6c43a9f8f9d77b16009c07788c364c6dce4519

  • Size

    249KB

  • Sample

    230218-s535yscf35

  • MD5

    f48dc0d07e2224bf8d1fc27516e84dac

  • SHA1

    ff56ce8076fe81375ac45a84e726fa1ff958f07f

  • SHA256

    b62c189bc134eee76e393a4c6a6c43a9f8f9d77b16009c07788c364c6dce4519

  • SHA512

    90afe002aed4dec8b3a5fca9b215be7ca6c523aa2624e17965e1184ebd4568a8f089cab6dc76aa32afb0d3dddec7c684caef259798cd7b9619a42552161a929d

  • SSDEEP

    3072:vA28DzM7LzJxynpgTPAjFymnfF2ATL4Cf2qf4l5m+2mpGZ1VU+fihb:4v87LzJqgTWy8sqVfZy4+bpGZffip

Malware Config

Targets

    • Target

      b62c189bc134eee76e393a4c6a6c43a9f8f9d77b16009c07788c364c6dce4519

    • Size

      249KB

    • MD5

      f48dc0d07e2224bf8d1fc27516e84dac

    • SHA1

      ff56ce8076fe81375ac45a84e726fa1ff958f07f

    • SHA256

      b62c189bc134eee76e393a4c6a6c43a9f8f9d77b16009c07788c364c6dce4519

    • SHA512

      90afe002aed4dec8b3a5fca9b215be7ca6c523aa2624e17965e1184ebd4568a8f089cab6dc76aa32afb0d3dddec7c684caef259798cd7b9619a42552161a929d

    • SSDEEP

      3072:vA28DzM7LzJxynpgTPAjFymnfF2ATL4Cf2qf4l5m+2mpGZ1VU+fihb:4v87LzJqgTWy8sqVfZy4+bpGZffip

    • Detects Smokeloader packer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon Stealer payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Tasks