Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    13s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    07-09-2021 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd2f2ec66b440c95c3ff38139baa7893c843cd0b8ee6cb78c6f4e7b3ccda4dbb.exe

  • Size

    421KB

  • MD5

    a836dd578e9c7f5402c39abd6b2c10ff

  • SHA1

    288dceed734aef555ff55bf983d5d813fe70abf1

  • SHA256

    dd2f2ec66b440c95c3ff38139baa7893c843cd0b8ee6cb78c6f4e7b3ccda4dbb

  • SHA512

    ec7a809e771260a496c66b5f87e45b883ebb901fffca8121fdc3bbb5527e769a0ba49731a740ad4000cf215d233a70dc82a0c92c5fb19d96af2db07be0eb3126

Score
10/10
raccoon93d3ccba4a3cbd5e268873fc1760b2335272e198stealer

Malware Config

Extracted

Family

raccoon

Botnet

93d3ccba4a3cbd5e268873fc1760b2335272e198

Attributes
  • url4cnc

    https://telete.in/opa4kiprivatem

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd2f2ec66b440c95c3ff38139baa7893c843cd0b8ee6cb78c6f4e7b3ccda4dbb.exe
    "C:\Users\Admin\AppData\Local\Temp\dd2f2ec66b440c95c3ff38139baa7893c843cd0b8ee6cb78c6f4e7b3ccda4dbb.exe"
    1⤵
      PID:4032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 744
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2852
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 752
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1268
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 852
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 892
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 888
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2168

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4032-115-0x0000000002390000-0x000000000241F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/4032-116-0x0000000000400000-0x0000000002187000-memory.dmp
      Filesize

      29.5MB

      Download