b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c

General
Target

b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe

Filesize

430KB

Completed

26-09-2021 13:02

Score
10 /10
MD5

8066b98ce627fb951b1de8d04ad5d11a

SHA1

33bec6772d4b829a2f2161f291012c55c2971c51

SHA256

b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c

Malware Config

Extracted

Family raccoon
Botnet f6d7183c9e82d2a9b81e6c0608450aa66cefb51f
Attributes
url4cnc
https://t.me/justoprostohello
rc4.plain
rc4.plain
Signatures 12

Filter: none

Collection
Credential Access
Discovery
Persistence
  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    Description

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    Tags

  • Downloads MZ/PE file
  • Executes dropped EXE
    LgDSt2rr2q.exesihost.exe

    Reported IOCs

    pidprocess
    3140LgDSt2rr2q.exe
    2196sihost.exe
  • Loads dropped DLL
    b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe

    Reported IOCs

    pidprocess
    1784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe
    1784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe
    1784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe
    1784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe
    1784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe
    1784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1500schtasks.exe
    2432schtasks.exe
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    532timeout.exe
  • Suspicious use of WriteProcessMemory
    b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.execmd.exeLgDSt2rr2q.exesihost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1784 wrote to memory of 31401784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exeLgDSt2rr2q.exe
    PID 1784 wrote to memory of 31401784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exeLgDSt2rr2q.exe
    PID 1784 wrote to memory of 31401784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exeLgDSt2rr2q.exe
    PID 1784 wrote to memory of 36841784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.execmd.exe
    PID 1784 wrote to memory of 36841784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.execmd.exe
    PID 1784 wrote to memory of 36841784b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.execmd.exe
    PID 3684 wrote to memory of 5323684cmd.exetimeout.exe
    PID 3684 wrote to memory of 5323684cmd.exetimeout.exe
    PID 3684 wrote to memory of 5323684cmd.exetimeout.exe
    PID 3140 wrote to memory of 15003140LgDSt2rr2q.exeschtasks.exe
    PID 3140 wrote to memory of 15003140LgDSt2rr2q.exeschtasks.exe
    PID 3140 wrote to memory of 15003140LgDSt2rr2q.exeschtasks.exe
    PID 2196 wrote to memory of 24322196sihost.exeschtasks.exe
    PID 2196 wrote to memory of 24322196sihost.exeschtasks.exe
    PID 2196 wrote to memory of 24322196sihost.exeschtasks.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe
    "C:\Users\Admin\AppData\Local\Temp\b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Local\Temp\LgDSt2rr2q.exe
      "C:\Users\Admin\AppData\Local\Temp\LgDSt2rr2q.exe"
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Windows\SysWOW64\schtasks.exe
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
        Creates scheduled task(s)
        PID:1500
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe"
      Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\SysWOW64\timeout.exe
        timeout /T 10 /NOBREAK
        Delays execution with timeout.exe
        PID:532
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    Executes dropped EXE
    Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
      Creates scheduled task(s)
      PID:2432
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\LgDSt2rr2q.exe

                    MD5

                    13d6542b23dfe0a254885ad5b6986141

                    SHA1

                    893cd4ab98575b0e54f9d053fa0fa50b4f17cb33

                    SHA256

                    2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8

                    SHA512

                    e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681

                  • C:\Users\Admin\AppData\Local\Temp\LgDSt2rr2q.exe

                    MD5

                    13d6542b23dfe0a254885ad5b6986141

                    SHA1

                    893cd4ab98575b0e54f9d053fa0fa50b4f17cb33

                    SHA256

                    2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8

                    SHA512

                    e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

                    MD5

                    13d6542b23dfe0a254885ad5b6986141

                    SHA1

                    893cd4ab98575b0e54f9d053fa0fa50b4f17cb33

                    SHA256

                    2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8

                    SHA512

                    e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

                    MD5

                    13d6542b23dfe0a254885ad5b6986141

                    SHA1

                    893cd4ab98575b0e54f9d053fa0fa50b4f17cb33

                    SHA256

                    2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8

                    SHA512

                    e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681

                  • \Users\Admin\AppData\LocalLow\sqlite3.dll

                    MD5

                    f964811b68f9f1487c2b41e1aef576ce

                    SHA1

                    b423959793f14b1416bc3b7051bed58a1034025f

                    SHA256

                    83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

                    SHA512

                    565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

                  • \Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

                    MD5

                    60acd24430204ad2dc7f148b8cfe9bdc

                    SHA1

                    989f377b9117d7cb21cbe92a4117f88f9c7693d9

                    SHA256

                    9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                    SHA512

                    626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                  • \Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

                    MD5

                    60acd24430204ad2dc7f148b8cfe9bdc

                    SHA1

                    989f377b9117d7cb21cbe92a4117f88f9c7693d9

                    SHA256

                    9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                    SHA512

                    626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                  • \Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

                    MD5

                    eae9273f8cdcf9321c6c37c244773139

                    SHA1

                    8378e2a2f3635574c106eea8419b5eb00b8489b0

                    SHA256

                    a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

                    SHA512

                    06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

                  • \Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

                    MD5

                    02cc7b8ee30056d5912de54f1bdfc219

                    SHA1

                    a6923da95705fb81e368ae48f93d28522ef552fb

                    SHA256

                    1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

                    SHA512

                    0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

                  • \Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

                    MD5

                    4e8df049f3459fa94ab6ad387f3561ac

                    SHA1

                    06ed392bc29ad9d5fc05ee254c2625fd65925114

                    SHA256

                    25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

                    SHA512

                    3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

                  • memory/532-127-0x0000000000000000-mapping.dmp

                  • memory/1500-128-0x0000000000000000-mapping.dmp

                  • memory/1784-116-0x0000000000400000-0x00000000004F2000-memory.dmp

                  • memory/1784-115-0x0000000000770000-0x0000000000800000-memory.dmp

                  • memory/2196-134-0x00000000004B0000-0x000000000055E000-memory.dmp

                  • memory/2196-135-0x0000000000400000-0x00000000004A8000-memory.dmp

                  • memory/2432-133-0x0000000000000000-mapping.dmp

                  • memory/3140-129-0x00000000001D0000-0x00000000001D4000-memory.dmp

                  • memory/3140-123-0x0000000000000000-mapping.dmp

                  • memory/3140-130-0x0000000000400000-0x00000000004A8000-memory.dmp

                  • memory/3684-125-0x0000000000000000-mapping.dmp