Overview

overview

10

Static

static

dridex

windows10_x64

10

Resubmissions

06-10-2021 15:33

211006-szlnqabehj 10

04-10-2021 12:00

211004-n6asksgdal 10

Analysis

  • max time kernel
    117s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    04-10-2021 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe

  • Size

    539KB

  • MD5

    39334f7bcc79560e4cba9026fcae6151

  • SHA1

    eb95a578bb947f52bdf0b779b90f605c5a3277d3

  • SHA256

    f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5

  • SHA512

    c4fc970ec0e46207002cd1785c391fda1b1b6b1eb53ae1179f54df02d172dd75fb4269b00f1586bc164f90a419330b6f3f43fa19a25e64e8722a32db4ce5184e

Score
10/10
raccoone672747afc67feb221ca60f8fc9e03adcf10f038collectiondiscoveryspywarestealersuricata

Malware Config

Extracted

Family

raccoon

Version

1.8.2

Botnet

e672747afc67feb221ca60f8fc9e03adcf10f038

Attributes
  • url4cnc

    http://teletop.top/youyouhell0world

    http://teleta.top/youyouhell0world

    https://t.me/youyouhell0world

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata
  • Downloads MZ/PE file
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    "C:\Users\Admin\AppData\Local\Temp\f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe"
    1⤵
    • Loads dropped DLL
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2056
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\timeout.exe
        timeout /T 10 /NOBREAK
        3⤵
        • Delays execution with timeout.exe
        PID:2356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2056-115-0x00000000004A0000-0x00000000005EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2056-116-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download