Overview

overview

10

Static

static

helper.exe

windows7_x64

10

helper.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    helper.exe

  • Size

    708KB

  • Sample

    210208-r7gjlrp56e

  • MD5

    fc7316c04e5a5c6e7279f072a6408f74

  • SHA1

    9a58dce97f8a5e5096521a08a5bc4e7a8831e3b9

  • SHA256

    256344eb42537328e034750e996263275e13fe77e4c5edafd4c625b53db07ae3

  • SHA512

    6ad3c165748e516e5715a39d7f6b58a1698a9bddf2402f79e3446a6e915a443754b09f1cb21d0befbe11aa3e993ef8aca7a8529ee3dd2f27c3b0f39cc2ff3f26

Score
10/10
raccoon0fe6e83cccc8eaef9dd7af9c2e1acf59b514423ddiscoveryransomwarespywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

0fe6e83cccc8eaef9dd7af9c2e1acf59b514423d

Attributes
  • url4cnc

    https://telete.in/jbitchsucks

rc4.plain
rc4.plain

Targets

    • Target

      helper.exe

    • Size

      708KB

    • MD5

      fc7316c04e5a5c6e7279f072a6408f74

    • SHA1

      9a58dce97f8a5e5096521a08a5bc4e7a8831e3b9

    • SHA256

      256344eb42537328e034750e996263275e13fe77e4c5edafd4c625b53db07ae3

    • SHA512

      6ad3c165748e516e5715a39d7f6b58a1698a9bddf2402f79e3446a6e915a443754b09f1cb21d0befbe11aa3e993ef8aca7a8529ee3dd2f27c3b0f39cc2ff3f26

    Score
    10/10
    raccoon0fe6e83cccc8eaef9dd7af9c2e1acf59b514423dstealerdiscoveryransomwarespyware

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks