Overview

overview

10

Static

static

Setup_Pass_1234.exe

windows7_x64

10

Setup_Pass_1234.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    52s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    10-03-2022 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup_Pass_1234.exe

  • Size

    4.5MB

  • MD5

    d1b14aa9c41b1fb168f0a33f8da66653

  • SHA1

    4969e9aa47972168ef618363e1b987287379bc7b

  • SHA256

    948c821b3a3f5b1ee3a8c49a15c449224be9b0e3c13b5876b5ffc67470424267

  • SHA512

    a760fea05bc71e520350fbbf30239fb3902769d2ce8cdf88f56f29b7ed82fb8d2fd6ad2eab80db03be8784eaf04945e896f473c9c87c49ea550a1d579c47750d

Score
10/10
raccoon231a2bef03530ea1eb31f9ad27af7d488aca1ee8stealersuricata

Malware Config

Extracted

Family

raccoon

Botnet

231a2bef03530ea1eb31f9ad27af7d488aca1ee8

Attributes
  • url4cnc

    http://85.159.212.113/sibiusio

    http://185.163.204.81/sibiusio

    http://194.180.191.33/sibiusio

    http://174.138.11.98/sibiusio

    http://194.180.191.44/sibiusio

    http://91.219.236.120/sibiusio

    https://t.me/sibiusio

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

    suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6

    suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6

    suricata
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup_Pass_1234.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup_Pass_1234.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:2376
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 816
          3⤵
          • Program crash
          PID:4904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2376 -ip 2376
      1⤵
        PID:5048

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1516-130-0x0000000000CF0000-0x0000000001763000-memory.dmp
        Filesize

        10.4MB

        Download
      • memory/2376-134-0x0000000001000000-0x0000000001093000-memory.dmp
        Filesize

        588KB

        Download
      • memory/2376-140-0x0000000001000000-0x0000000001093000-memory.dmp
        Filesize

        588KB

        Download