netdooka | bd59e50bd956f6ef82d05a2a9f945543cc3c4868a6916f772b6f53d51f804903

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 13:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
Size

660KB
MD5

54a315b26c66694821fb2091ef865f7f
SHA1

9f79ec5e7845bd33a58124fd3d10637a20630bb5
SHA256

4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef
SHA512

625e851ddedd83103d1b27c25bdb8428e8aab9321436d48668112dd887f9ede5655b4f5b13d69e656bae522951c50cedd53426de725788ba5697089e81156814
SSDEEP

12288:nBxT3SKVIC9HdFEtttJl3Mob+60MCV94D0cIegdu1oeK/lGRgOUqmq9kR6lhKXhh:BxT3ZVB9HdFQPl3M06MCV9k0DegduieE

Score

10^/10

netdooka loader rat

Malware Config

Extracted

Family

netdooka

Signatures

NetDooka
NetDooka is a malware framework distributed by way of a pay-per-install and written in C#.
loader rat netdooka

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88
PID 3540 wrote to memory of 3808	3540	4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe	88

C:\Users\Admin\AppData\Local\Temp\4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
"C:\Users\Admin\AppData\Local\Temp\4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe
  "C:\Users\Admin\AppData\Local\Temp\4ceded881995aa09ac269002c4312560ac38576aa82d95dc85d28a1a2b76bbef.exe"
  2⤵
  PID:3808

Network

DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

132.250.30.184.in-addr.arpa

Remote address:

8.8.8.8:53

Request

132.250.30.184.in-addr.arpa

IN PTR

Response

132.250.30.184.in-addr.arpa

IN PTR

a184-30-250-132deploystaticakamaitechnologiescom
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

65.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.139.73.23.in-addr.arpa

IN PTR

Response

65.139.73.23.in-addr.arpa

IN PTR

a23-73-139-65deploystaticakamaitechnologiescom
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

249.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.197.17.2.in-addr.arpa

IN PTR

Response

249.197.17.2.in-addr.arpa

IN PTR

a2-17-197-249deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

216 B
158 B
3
1

DNS Request

20.160.190.20.in-addr.arpa

DNS Request

20.160.190.20.in-addr.arpa

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

132.250.30.184.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

132.250.30.184.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

65.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

65.139.73.23.in-addr.arpa
8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

249.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

249.197.17.2.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3540-0-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3540-1-0x00000000022F0000-0x0000000002350000-memory.dmp

Filesize
384KB

Download
memory/3540-2-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3540-3-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3540-4-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3540-5-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3540-6-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3540-7-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3540-8-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/3540-9-0x0000000003450000-0x0000000003452000-memory.dmp

Filesize
8KB

Download
memory/3540-10-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3540-11-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/3540-12-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3540-13-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3540-15-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3540-16-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3540-14-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3540-17-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/3540-18-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/3540-19-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3540-20-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/3540-21-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/3540-22-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3540-23-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/3540-24-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/3540-25-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3540-26-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3540-27-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3540-28-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3540-30-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/3540-29-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3540-31-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3540-32-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3540-33-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/3540-34-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3540-35-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/3540-36-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/3540-52-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3540-53-0x00000000022F0000-0x0000000002350000-memory.dmp

Filesize
384KB

Download
memory/3808-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-43-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3808-44-0x0000000073310000-0x0000000073AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3808-45-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/3808-46-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/3808-47-0x00000000024B0000-0x00000000024D2000-memory.dmp

Filesize
136KB

Download
memory/3808-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-51-0x0000000073310000-0x0000000073AC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.