General
-
Target
97c3f6161cb1449726f9a0eaff9dc67f.exe
-
Size
342KB
-
Sample
210324-w8e8scwrfe
-
MD5
97c3f6161cb1449726f9a0eaff9dc67f
-
SHA1
831fae42f7647dce83d51566d0c812d63e0cd97e
-
SHA256
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
-
SHA512
ea28d0460dbb13ea113a9236750fe4517630e4bd212787821b5568cf453373c45a24bc0c9c08f9e448feda7ab9b89b3befdcf36d578c73ef8081678a9a76ee33
Static task
static1
Behavioral task
behavioral1
Sample
97c3f6161cb1449726f9a0eaff9dc67f.exe
Resource
win7v20201028
Malware Config
Extracted
raccoon
c46f13f8aadc028907d65c627fd9163161661f6c
-
url4cnc
https://telete.in/capibar
Extracted
cryptbot
bazfr32.top
morwhy03.top
-
payload_url
http://akrvt04.top/download.php?file=lv.exe
Targets
-
-
Target
97c3f6161cb1449726f9a0eaff9dc67f.exe
-
Size
342KB
-
MD5
97c3f6161cb1449726f9a0eaff9dc67f
-
SHA1
831fae42f7647dce83d51566d0c812d63e0cd97e
-
SHA256
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
-
SHA512
ea28d0460dbb13ea113a9236750fe4517630e4bd212787821b5568cf453373c45a24bc0c9c08f9e448feda7ab9b89b3befdcf36d578c73ef8081678a9a76ee33
-
CryptBot Payload
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-