General

  • Target

    9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6

  • Size

    1.1MB

  • Sample

    211113-ncm6taehh3

  • MD5

    6966182dd20351152ea815d31e735067

  • SHA1

    69a2df785f37d2d7d2d9a5f9120c679870ff3872

  • SHA256

    9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6

  • SHA512

    aa8e0c7ad305ab0b99807f0b579b54d2f99dc3b837d512de8c08681333bff53b7a56eaa93e66261b66b25524e416f20cdac6c0cffaa9c2621b678475f73dfbc7

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

7632dffeb03da57edca98c8bfb2611868e8eb0a7

Attributes
  • url4cnc

    http://91.219.236.162/brikitiki

    http://185.163.47.176/brikitiki

    http://193.38.54.238/brikitiki

    http://74.119.192.122/brikitiki

    http://91.219.236.240/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

colonna.ac.ug

Targets

    • Target

      9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6

    • Size

      1.1MB

    • MD5

      6966182dd20351152ea815d31e735067

    • SHA1

      69a2df785f37d2d7d2d9a5f9120c679870ff3872

    • SHA256

      9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6

    • SHA512

      aa8e0c7ad305ab0b99807f0b579b54d2f99dc3b837d512de8c08681333bff53b7a56eaa93e66261b66b25524e416f20cdac6c0cffaa9c2621b678475f73dfbc7

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks