General

  • Target

    crypted[1].bin

  • Size

    1MB

  • Sample

    191129-bykghah8ge

  • MD5

    121f7cba18bcb38e68bd4fc4f2e71815

  • SHA1

    25f64ae766388a2c6b43c063a84451b6725e3115

  • SHA256

    9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

  • SHA512

    7b10cfffea055f61c773fae242c4e151b61109018e82c47d5ef54321cd7eb30deb58d2fb10fc4906331437bbf232e391bec407c1e2db82159b2eea52c4de07de

Malware Config

Targets

    • Target

      crypted[1].bin

    • Size

      1MB

    • MD5

      121f7cba18bcb38e68bd4fc4f2e71815

    • SHA1

      25f64ae766388a2c6b43c063a84451b6725e3115

    • SHA256

      9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

    • SHA512

      7b10cfffea055f61c773fae242c4e151b61109018e82c47d5ef54321cd7eb30deb58d2fb10fc4906331437bbf232e391bec407c1e2db82159b2eea52c4de07de

    • raccoon family

    • Deletes itself

    • Loads dropped DLL

    • Accesses Bither wallet, possible credential harvesting

    • Checks for installed software on the system

    • Modifies system certificate store

    • Reads 7star user data, possible credential harvesting

    • Reads Amigo user data, possible credential harvesting

    • Reads Bromium user data, possible credential harvesting

    • Reads Centbrowser user data, possible credential harvesting

    • Reads Chedot user data, possible credential harvesting

    • Reads Chrome SxS user data, possible credential harvesting

    • Reads Chrome user data, possible credential harvesting

    • Reads Chromium user data, possible credential harvesting

    • Reads Dragon user data, possible credential harvesting

    • Reads Elements browser user data, possible credential harvesting

    • Reads Epic privacy browser user data, possible credential harvesting

    • Reads Firefox user profile, possible credential harvesting

    • Reads Go! user data, possible credential harvesting

    • Reads Kometa user data, possible credential harvesting

    • Reads Mustang user data, possible credential harvesting

    • Reads Nichrome user data, possible credential harvesting

    • Reads Orbitum user data, possible credential harvesting

    • Reads Pale Moon browser user profile, possible credential harvesting

    • Reads Qip surf user data, possible credential harvesting

    • Reads Rockmelt user data, possible credential harvesting

    • Reads Secure browser user data, possible credential harvesting

    • Reads Sputnik user data, possible credential harvesting

    • Reads Suhba user data, possible credential harvesting

    • Reads Superbird user data, possible credential harvesting

    • Reads Tor Browser user profile, possible credential harvesting

    • Reads Torch user data, possible credential harvesting

    • Reads Uran user data, possible credential harvesting

    • Reads Vivaldi user data, possible credential harvesting

    • Reads Waterfox user profile, possible credential harvesting

    • Reads user profile for Thunderbird email client, possible credential harvesting

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation