General
-
Target
862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c.exe
-
Size
9KB
-
Sample
210322-megqzb7lx2
-
MD5
4c5c17827dee5404f8277ec293e24f61
-
SHA1
1749b06fc73e691d2178370fa7f1663e8d10592c
-
SHA256
862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c78f715be65f5d72724c
-
SHA512
ebf63d08e35830ca7971d0424f3ddb81a3f6f0f35286602bf5c637b05dadfc023da350baf264eacdb37f6d8f88abee155c442c6df0efe0dec4ce001f1f9c8868
Static task
static1
Behavioral task
behavioral1
Sample
862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c.exe
Resource
win10v20201028
Malware Config
Extracted
raccoon
c46f13f8aadc028907d65c627fd9163161661f6c
-
url4cnc
https://telete.in/capibar
Extracted
raccoon
2ce901d964b370c5ccda7e4d68354ba040db8218
-
url4cnc
https://telete.in/tomarsjsmith3
Targets
-
-
Target
862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c.exe
-
Size
9KB
-
MD5
4c5c17827dee5404f8277ec293e24f61
-
SHA1
1749b06fc73e691d2178370fa7f1663e8d10592c
-
SHA256
862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c78f715be65f5d72724c
-
SHA512
ebf63d08e35830ca7971d0424f3ddb81a3f6f0f35286602bf5c637b05dadfc023da350baf264eacdb37f6d8f88abee155c442c6df0efe0dec4ce001f1f9c8868
-
Executes dropped EXE
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-