Analysis

  • max time kernel
    89s
  • max time network
    91s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    02-10-2021 10:10

General

  • Target

    c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe

  • Size

    512KB

  • MD5

    de53e8d73fe96e1ceab93e3aee4751ec

  • SHA1

    98e010e66213ba828ead9debe86263bca9407509

  • SHA256

    c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8

  • SHA512

    e2e692971b0fb5b1244b08e952045f6b342f968a2f5ba8f3d28b3e4cd0bf34af89c63a1923ca16991c43e6376cbab113b3c43d194dc8639ce8d04881bfdc95c5

Malware Config

Extracted

Family

raccoon

Version

1.8.2

Botnet

fd16367b73441d6f39c715f71a74a399a84f0b41

Attributes
  • url4cnc

    http://teletop.top/terra11nc

    http://teleta.top/terra11nc

    https://t.me/terra11nc

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

  • Downloads MZ/PE file
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
    "C:\Users\Admin\AppData\Local\Temp\c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe"
    1⤵
    • Loads dropped DLL
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:3492
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\SysWOW64\timeout.exe
        timeout /T 10 /NOBREAK
        3⤵
        • Delays execution with timeout.exe
        PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\freebl3.dll
    MD5

    60acd24430204ad2dc7f148b8cfe9bdc

    SHA1

    989f377b9117d7cb21cbe92a4117f88f9c7693d9

    SHA256

    9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

    SHA512

    626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

  • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\mozglue.dll
    MD5

    eae9273f8cdcf9321c6c37c244773139

    SHA1

    8378e2a2f3635574c106eea8419b5eb00b8489b0

    SHA256

    a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

    SHA512

    06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

  • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\nss3.dll
    MD5

    02cc7b8ee30056d5912de54f1bdfc219

    SHA1

    a6923da95705fb81e368ae48f93d28522ef552fb

    SHA256

    1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

    SHA512

    0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

  • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\softokn3.dll
    MD5

    4e8df049f3459fa94ab6ad387f3561ac

    SHA1

    06ed392bc29ad9d5fc05ee254c2625fd65925114

    SHA256

    25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

    SHA512

    3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

  • \Users\Admin\AppData\LocalLow\sqlite3.dll
    MD5

    f964811b68f9f1487c2b41e1aef576ce

    SHA1

    b423959793f14b1416bc3b7051bed58a1034025f

    SHA256

    83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

    SHA512

    565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

  • memory/968-121-0x0000000000000000-mapping.dmp
  • memory/1920-122-0x0000000000000000-mapping.dmp
  • memory/3492-114-0x0000000000B00000-0x0000000000B8E000-memory.dmp
    Filesize

    568KB

  • memory/3492-115-0x0000000000400000-0x00000000008AF000-memory.dmp
    Filesize

    4.7MB