General

  • Target

    3f17a7e9bdb7a066966be287406da7a2.exe

  • Size

    344KB

  • Sample

    210519-dvnyxfse4n

  • MD5

    3f17a7e9bdb7a066966be287406da7a2

  • SHA1

    1c66940e95724d2a6d202a5c8afe1b0b90f2dd0e

  • SHA256

    17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e

  • SHA512

    f9d9b1ef1ad804378daf3662c9f047421e5d252ee22afd34c51ca3ad1a149aba8b1b69930de42ade0dd95db7746d78bcd687e5bfb94616a7138aa374f7285c7d

Malware Config

Extracted

Family

raccoon

Botnet

7528117f6a744f7afc4b767f2029d96b378f12c8

Attributes
  • url4cnc

    https://telete.in/capibar

rc4.plain
rc4.plain

Extracted

Family

cryptbot

C2

sogkys22.top

morlux02.top

Attributes
  • payload_url

    http://douwkw02.top/download.php?file=lv.exe

Targets

    • Target

      3f17a7e9bdb7a066966be287406da7a2.exe

    • Size

      344KB

    • MD5

      3f17a7e9bdb7a066966be287406da7a2

    • SHA1

      1c66940e95724d2a6d202a5c8afe1b0b90f2dd0e

    • SHA256

      17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e

    • SHA512

      f9d9b1ef1ad804378daf3662c9f047421e5d252ee22afd34c51ca3ad1a149aba8b1b69930de42ade0dd95db7746d78bcd687e5bfb94616a7138aa374f7285c7d

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot Payload

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks