General

  • Target

    49c3b146f9734caa1f3ffb3b273238f3.exe

  • Size

    16KB

  • Sample

    211104-3et5gafadk

  • MD5

    49c3b146f9734caa1f3ffb3b273238f3

  • SHA1

    c2c3955cd049f3cfcaf1f926e660712850beccc3

  • SHA256

    9fcd74ab400531e530fc20dd5cb71635dd8f8aac2deea7d749284d976ea0a629

  • SHA512

    bf33e890ba8fe22aa9a1cfa8757867f0d4010522c82dccbb47e16d376ec66566093056757895edf15d98d9f4f9c2a0f1ffcae4eebd9b6bdb8ed5b43eb0ddd001

Malware Config

Extracted

Family

raccoon

Botnet

a8df9e1d3d24b04502963590a8ed392d88ab1b96

Attributes
  • url4cnc

    http://telegin.top/opticillusionlusy

    http://ttmirror.top/opticillusionlusy

    http://teletele.top/opticillusionlusy

    http://telegalive.top/opticillusionlusy

    http://toptelete.top/opticillusionlusy

    http://telegraf.top/opticillusionlusy

    https://t.me/opticillusionlusy

rc4.plain
rc4.plain

Targets

    • Target

      49c3b146f9734caa1f3ffb3b273238f3.exe

    • Size

      16KB

    • MD5

      49c3b146f9734caa1f3ffb3b273238f3

    • SHA1

      c2c3955cd049f3cfcaf1f926e660712850beccc3

    • SHA256

      9fcd74ab400531e530fc20dd5cb71635dd8f8aac2deea7d749284d976ea0a629

    • SHA512

      bf33e890ba8fe22aa9a1cfa8757867f0d4010522c82dccbb47e16d376ec66566093056757895edf15d98d9f4f9c2a0f1ffcae4eebd9b6bdb8ed5b43eb0ddd001

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • BitRAT Payload

    • Modifies Windows Defender Real-time Protection settings

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

4
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Tasks