Analysis
-
max time kernel
110s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 19:13
General
-
Target
0e9e98cde28f8dd9a22f642400452d84762785efeb72ecdf49c317d44624f181.exe
-
Size
513KB
-
MD5
18b193c34923f4f2aa44fb8675f64993
-
SHA1
30d430349129b556546c085f92baa2034853471f
-
SHA256
0e9e98cde28f8dd9a22f642400452d84762785efeb72ecdf49c317d44624f181
-
SHA512
b2001ce78c83318304c9740365e7ef0db5830bb156c73c398baac38d65e3a27f5a4d603860de6ff65d8c270f5eb53a20f3c648c93d69e917cd51ef38a501cd21
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
7ebf9b416b72a203df65383eec899dc689d2c3d7
Attributes
-
url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
rc4.plain
rc4.plain
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e9e98cde28f8dd9a22f642400452d84762785efeb72ecdf49c317d44624f181.exe"C:\Users\Admin\AppData\Local\Temp\0e9e98cde28f8dd9a22f642400452d84762785efeb72ecdf49c317d44624f181.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 6402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1836-116-0x0000000004B90000-0x0000000004C1E000-memory.dmpFilesize
568KB
-
memory/1836-115-0x0000000004B40000-0x0000000004B8E000-memory.dmpFilesize
312KB
-
memory/1836-117-0x0000000000400000-0x0000000002F47000-memory.dmpFilesize
43.3MB