Analysis
-
max time kernel
88s -
max time network
161s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-08-2021 20:45
Static task
static1
Behavioral task
behavioral1
Sample
41FA35AD45D4442404F2F970EE3578B8.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
41FA35AD45D4442404F2F970EE3578B8.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
41FA35AD45D4442404F2F970EE3578B8.exe
-
Size
6.6MB
-
MD5
41fa35ad45d4442404f2f970ee3578b8
-
SHA1
61577d5ff6b0c870d51fbb3463ce920b2cd191a7
-
SHA256
56f1c287ea437e4642a04cfb0f44f2dcc74a0eeb3204aba76fd0c64f31b0dffd
-
SHA512
778972963c3aa9119877e7ab885b14eb2eadbe9bf3bba28365fee48e4bb4ba351680a980cb2c34ceafaa2258ccd86c28ee1532667cf3aec138c647eab8819096
Malware Config
Extracted
Family
raccoon
Botnet
bb8d3701ca5d8e031967c87b862623b34997b3d1
Attributes
-
url4cnc
https://telete.in/jdiamond13
rc4.plain
rc4.plain
Signatures
-
Raccoon Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3128-114-0x0000000002BF0000-0x0000000002C81000-memory.dmp family_raccoon behavioral2/memory/3128-115-0x0000000000400000-0x0000000000E7B000-memory.dmp family_raccoon -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2352 created 3128 2352 WerFault.exe 41FA35AD45D4442404F2F970EE3578B8.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2352 3128 WerFault.exe 41FA35AD45D4442404F2F970EE3578B8.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2352 WerFault.exe Token: SeBackupPrivilege 2352 WerFault.exe Token: SeDebugPrivilege 2352 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41FA35AD45D4442404F2F970EE3578B8.exe"C:\Users\Admin\AppData\Local\Temp\41FA35AD45D4442404F2F970EE3578B8.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 11842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken