f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5

General
Target

f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe

Filesize

539KB

Completed

04-10-2021 12:02

Score
10/10
MD5

39334f7bcc79560e4cba9026fcae6151

SHA1

eb95a578bb947f52bdf0b779b90f605c5a3277d3

SHA256

f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5

Malware Config

Extracted

Family raccoon
Version 1.8.2
Botnet e672747afc67feb221ca60f8fc9e03adcf10f038
Attributes
url4cnc
http://teletop.top/youyouhell0world
http://teleta.top/youyouhell0world
https://t.me/youyouhell0world
rc4.plain
rc4.plain
Signatures 15

Filter: none

Collection
Credential Access
Discovery
  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    Description

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    Tags

  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    Description

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    Tags

  • Downloads MZ/PE file
  • Loads dropped DLL
    f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe

    Reported IOCs

    pidprocess
    2056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    2056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    2056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    2056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    2056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    2056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook accounts
    f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accountsf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
  • Accesses Microsoft Outlook profiles
    f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    2356timeout.exe
  • Suspicious use of WriteProcessMemory
    f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2056 wrote to memory of 19202056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.execmd.exe
    PID 2056 wrote to memory of 19202056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.execmd.exe
    PID 2056 wrote to memory of 19202056f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.execmd.exe
    PID 1920 wrote to memory of 23561920cmd.exetimeout.exe
    PID 1920 wrote to memory of 23561920cmd.exetimeout.exe
    PID 1920 wrote to memory of 23561920cmd.exetimeout.exe
  • outlook_office_path
    f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
  • outlook_win_path
    f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookf45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe
    "C:\Users\Admin\AppData\Local\Temp\f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe"
    Loads dropped DLL
    Accesses Microsoft Outlook accounts
    Accesses Microsoft Outlook profiles
    Suspicious use of WriteProcessMemory
    outlook_office_path
    outlook_win_path
    PID:2056
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5.exe"
      Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\timeout.exe
        timeout /T 10 /NOBREAK
        Delays execution with timeout.exe
        PID:2356
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\freebl3.dll

                      MD5

                      60acd24430204ad2dc7f148b8cfe9bdc

                      SHA1

                      989f377b9117d7cb21cbe92a4117f88f9c7693d9

                      SHA256

                      9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                      SHA512

                      626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                    • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\freebl3.dll

                      MD5

                      60acd24430204ad2dc7f148b8cfe9bdc

                      SHA1

                      989f377b9117d7cb21cbe92a4117f88f9c7693d9

                      SHA256

                      9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                      SHA512

                      626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                    • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\mozglue.dll

                      MD5

                      eae9273f8cdcf9321c6c37c244773139

                      SHA1

                      8378e2a2f3635574c106eea8419b5eb00b8489b0

                      SHA256

                      a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

                      SHA512

                      06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

                    • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\nss3.dll

                      MD5

                      02cc7b8ee30056d5912de54f1bdfc219

                      SHA1

                      a6923da95705fb81e368ae48f93d28522ef552fb

                      SHA256

                      1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

                      SHA512

                      0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

                    • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\softokn3.dll

                      MD5

                      4e8df049f3459fa94ab6ad387f3561ac

                      SHA1

                      06ed392bc29ad9d5fc05ee254c2625fd65925114

                      SHA256

                      25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

                      SHA512

                      3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

                    • \Users\Admin\AppData\LocalLow\sqlite3.dll

                      MD5

                      f964811b68f9f1487c2b41e1aef576ce

                      SHA1

                      b423959793f14b1416bc3b7051bed58a1034025f

                      SHA256

                      83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

                      SHA512

                      565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

                    • memory/1920-123-0x0000000000000000-mapping.dmp

                    • memory/2056-115-0x00000000004A0000-0x00000000005EA000-memory.dmp

                    • memory/2056-116-0x0000000000400000-0x0000000000493000-memory.dmp

                    • memory/2356-124-0x0000000000000000-mapping.dmp