Overview

overview

10

Static

static

a68bedcf4c...d3.exe

windows7_x64

10

a68bedcf4c...d3.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a68bedcf4c614a60dab1934438bc0fd3.exe

  • Size

    528KB

  • Sample

    210417-2eaq4x9zv6

  • MD5

    a68bedcf4c614a60dab1934438bc0fd3

  • SHA1

    77926b7f5c22ab5c505b7cd2c342fba2fbc5e65b

  • SHA256

    3f11a6c481b433ce5fa625ae1c43558335c9d281d203f3d5a0653bd2d6053940

  • SHA512

    fb6c3c0e06b7c6243e4cd02220c45f5b63ba72a0fe5adb990794df52497f00cb4b31ed813b45eee4dc5c064d9cdf65cfdd01baabf0dfb615dc40a3413c52c4f4

Score
10/10
raccoonxmrigbb8d3701ca5d8e031967c87b862623b34997b3d1discoveryminerspywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

bb8d3701ca5d8e031967c87b862623b34997b3d1

Attributes
  • url4cnc

    https://telete.in/jdiamond13

rc4.plain
rc4.plain

Targets

    • Target

      a68bedcf4c614a60dab1934438bc0fd3.exe

    • Size

      528KB

    • MD5

      a68bedcf4c614a60dab1934438bc0fd3

    • SHA1

      77926b7f5c22ab5c505b7cd2c342fba2fbc5e65b

    • SHA256

      3f11a6c481b433ce5fa625ae1c43558335c9d281d203f3d5a0653bd2d6053940

    • SHA512

      fb6c3c0e06b7c6243e4cd02220c45f5b63ba72a0fe5adb990794df52497f00cb4b31ed813b45eee4dc5c064d9cdf65cfdd01baabf0dfb615dc40a3413c52c4f4

    Score
    10/10
    raccoonbb8d3701ca5d8e031967c87b862623b34997b3d1discoveryspywarestealerxmrigminer

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks