Overview

overview

10

Static

static

b67e506c5b...55.exe

windows7_x64

10

b67e506c5b...55.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v200217
  • submitted
    18-02-2020 15:20

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b67e506c5b8f79ad835ffe9ca039d2bf3109d10676e832c2da761b8714657a55.exe

  • Size

    1.4MB

  • MD5

    348f0076f012ff2394b7c1c21dc91876

  • SHA1

    0cf8cfde66b6e6c1cbf64e1fe0a29dc56dec961b

  • SHA256

    b67e506c5b8f79ad835ffe9ca039d2bf3109d10676e832c2da761b8714657a55

  • SHA512

    37268bb8a9dc25365867819bd384239a1db5b8d35a3e3fbcc851400eb4b1e557b48adc7151d83ca0f073f814a0749a71c6dce2fc88dabbc542c24f230acff8c7

Score
10/10
spywarediscoverystealerraccoon

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\machineinfo.txt

Family

raccoon

Ransom Note
[Raccoon Stealer] - v1.2 Kushage Release Build compiled on Mon Oct 28 17:22:24 2019 Launched at: 2020.02.18 - 16:21:44 GMT Bot_ID: 443E833C-4F92-4BAD-9E5E-EEC62C6F043E_Admin ============ System Information: - System Language: English - ComputerName: HAUYOKHG - Username: Admin - IP: 154.61.71.13 - Windows version: NT 6.2 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (667 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

raccoon

Botnet

316ff478595e2db6ecc2380dc0039736dea133bc

C2

http://34.76.55.103/gate/log.php

Attributes
  • url4cnc

    https://drive.google.com/uc?export=download&id=1Bi_uNdZ2iSQljAb5TSljuYV1vp5edk1X

rc4.plain
rc4.plain

Signatures

  • Checks for installed software on the system 1 TTPs 27 IoCs
    discovery
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads browser user data or profiles (possible credential harvesting) 2 TTPs
    spyware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b67e506c5b8f79ad835ffe9ca039d2bf3109d10676e832c2da761b8714657a55.exe
    "C:\Users\Admin\AppData\Local\Temp\b67e506c5b8f79ad835ffe9ca039d2bf3109d10676e832c2da761b8714657a55.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:4044
    • C:\Users\Admin\AppData\Local\Temp\b67e506c5b8f79ad835ffe9ca039d2bf3109d10676e832c2da761b8714657a55.exe
      C:\Users\Admin\AppData\Local\Temp\b67e506c5b8f79ad835ffe9ca039d2bf3109d10676e832c2da761b8714657a55.exe
      2⤵
      • Checks for installed software on the system
      • Loads dropped DLL
      PID:3720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll
    Download Submit

  • \Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll
    Download Submit

  • \Users\Admin\AppData\Local\Temp\sqlite3.dll
    Download Submit

  • memory/3720-0-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download