Overview

overview

10

Static

static

CHEAT.exe

windows7_x64

10

CHEAT.exe

windows10_x64

10

Analysis

  • max time kernel
    97s
  • max time network
    98s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CHEAT.exe

  • Size

    560KB

  • MD5

    d93f322e915785edd46779a708e4f6d1

  • SHA1

    778331a71313b0108d4fbbfa93304a441fc36c87

  • SHA256

    59adfc0c805869287af49100c2ea65a80e6ebbaaf256f5e40d488b5dad38ee65

  • SHA512

    b63fd4c5dcd3df8a17307ac55d302365f383d3834f469441ce586f92cbf0813b90ae85d8e0c4a0e78bbf3465943f3562958fc6618eeb4514ad3bd5c20d240fc9

Score
10/10
raccoon392ed1d1c41045fcab62229aa831efc30cb93f05stealer

Malware Config

Extracted

Family

raccoon

Botnet

392ed1d1c41045fcab62229aa831efc30cb93f05

Attributes
  • url4cnc

    https://telete.in/jomrblack

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CHEAT.exe
    "C:\Users\Admin\AppData\Local\Temp\CHEAT.exe"
    1⤵
      PID:1212
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 732
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3812
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 744
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 844
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 840
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:732
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 736
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2180

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/200-11-0x0000000004160000-0x0000000004161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/360-8-0x0000000004480000-0x0000000004481000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-14-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1212-2-0x0000000000C20000-0x0000000000C21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1212-4-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB

      Download
    • memory/1212-3-0x0000000000A10000-0x0000000000AA2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2180-17-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3812-5-0x0000000004420000-0x0000000004421000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3812-6-0x0000000004420000-0x0000000004421000-memory.dmp
      Filesize

      4KB

      Download