payload.bin

General
Target

payload.bin.exe

Filesize

N/A

Completed

02-12-2019 23:14

Score
10 /10
SHA256

9d86acff939f2bab3d4a8a8eed8581475189a3e76ba03bbe30e7b36c4b0ffd38

Malware Config
Signatures 37

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • Reads Epic privacy browser user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\payload.bin.exe
  • Reads Nichrome user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Nichrome\User Data\payload.bin.exe
  • Reads Centbrowser user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\CentBrowser\User Data\payload.bin.exe
  • Reads Kometa user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Kometa\User Data\payload.bin.exe
  • Reads Go! user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Go!\User Data\payload.bin.exe
  • Reads Uran user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\payload.bin.exe
  • Reads Amigo user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Amigo\User Data\payload.bin.exe
  • Reads Qip surf user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\QIP Surf\User Data\payload.bin.exe
  • Reads user profile for Thunderbird email client, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\payload.bin.exe
  • Reads Dragon user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\payload.bin.exe
  • Reads Torch user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Torch\User Data\payload.bin.exe
  • Reads Firefox user profile, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\payload.bin.exe
  • Reads Secure browser user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\payload.bin.exe
  • Reads Chedot user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Chedot\User Data\payload.bin.exe
  • Reads 7star user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\7Star\7Star\User Data\payload.bin.exe
  • Reads Chrome SxS user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\payload.bin.exe
  • Reads Rockmelt user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\RockMelt\User Data\payload.bin.exe
  • Reads Tor Browser user profile, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\TorBro\Profile\payload.bin.exe
  • Reads Vivaldi user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Vivaldi\User Data\payload.bin.exe
  • Reads Orbitum user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Orbitum\User Data\payload.bin.exe
  • Checks for installed software on the system

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptionioc
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName
    Key opened\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName
    Key enumerated\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
  • Reads Suhba user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Suhba\User Data\payload.bin.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1508cmd.exe
  • Reads Chromium user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Chromium\User Data\payload.bin.exe
  • Reads Pale Moon browser user profile, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\payload.bin.exe
  • Reads Mustang user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\payload.bin.exe
  • Reads Superbird user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Superbird\User Data\payload.bin.exe
  • Reads Waterfox user profile, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\payload.bin.exe
  • Reads Bromium user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Bromium\User Data\payload.bin.exe
  • Modifies system certificate store

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptionioc
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e
  • Raccoon

    Description

    It's the RaccAttack!

  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1240PING.EXE
  • Reads Elements browser user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Elements Browser\User Data\payload.bin.exe
  • Loads dropped DLL
    payload.bin.exe

    Reported IOCs

    pidprocess
    856payload.bin.exe
  • Suspicious use of WriteProcessMemory
    payload.bin.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 856 wrote to memory of 1508856payload.bin.execmd.exe
    PID 1508 wrote to memory of 12401508cmd.exePING.EXE
  • Reads Chrome user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Google\Chrome\User Data\payload.bin.exe
  • Reads Sputnik user data, possible credential harvesting
    payload.bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocprocess
    C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\payload.bin.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\payload.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
    Reads Epic privacy browser user data, possible credential harvesting
    Reads Nichrome user data, possible credential harvesting
    Reads Centbrowser user data, possible credential harvesting
    Reads Kometa user data, possible credential harvesting
    Reads Go! user data, possible credential harvesting
    Reads Uran user data, possible credential harvesting
    Reads Amigo user data, possible credential harvesting
    Reads Qip surf user data, possible credential harvesting
    Reads user profile for Thunderbird email client, possible credential harvesting
    Reads Dragon user data, possible credential harvesting
    Reads Torch user data, possible credential harvesting
    Reads Firefox user profile, possible credential harvesting
    Reads Secure browser user data, possible credential harvesting
    Reads Chedot user data, possible credential harvesting
    Reads 7star user data, possible credential harvesting
    Reads Chrome SxS user data, possible credential harvesting
    Reads Rockmelt user data, possible credential harvesting
    Reads Tor Browser user profile, possible credential harvesting
    Reads Vivaldi user data, possible credential harvesting
    Reads Orbitum user data, possible credential harvesting
    Reads Suhba user data, possible credential harvesting
    Reads Chromium user data, possible credential harvesting
    Reads Pale Moon browser user profile, possible credential harvesting
    Reads Mustang user data, possible credential harvesting
    Reads Superbird user data, possible credential harvesting
    Reads Waterfox user profile, possible credential harvesting
    Reads Bromium user data, possible credential harvesting
    Reads Elements browser user data, possible credential harvesting
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    Reads Chrome user data, possible credential harvesting
    Reads Sputnik user data, possible credential harvesting
    PID:856
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        Runs ping.exe
        PID:1240
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "170567490699066284820195978591905946548-1324181297-6827939461883015892416655494"
    PID:1264
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • \Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll

                  • \Users\Admin\AppData\Local\Temp\AdLibs\msvcp140.dll

                  • \Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll

                  • \Users\Admin\AppData\Local\Temp\AdLibs\vcruntime140.dll

                  • \Users\Admin\AppData\Local\Temp\sqlite3.dll

                  • memory/856-1-0x0000000001DE0000-0x0000000001DF1000-memory.dmp

                  • memory/856-0-0x0000000000900000-0x0000000000901000-memory.dmp