Analysis
-
max time kernel
52s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 09:20
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Pass_1234.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
Setup_Pass_1234.exe
Resource
win10v2004-en-20220113
General
-
Target
Setup_Pass_1234.exe
-
Size
4.5MB
-
MD5
d1b14aa9c41b1fb168f0a33f8da66653
-
SHA1
4969e9aa47972168ef618363e1b987287379bc7b
-
SHA256
948c821b3a3f5b1ee3a8c49a15c449224be9b0e3c13b5876b5ffc67470424267
-
SHA512
a760fea05bc71e520350fbbf30239fb3902769d2ce8cdf88f56f29b7ed82fb8d2fd6ad2eab80db03be8784eaf04945e896f473c9c87c49ea550a1d579c47750d
Malware Config
Extracted
raccoon
231a2bef03530ea1eb31f9ad27af7d488aca1ee8
-
url4cnc
http://85.159.212.113/sibiusio
http://185.163.204.81/sibiusio
http://194.180.191.33/sibiusio
http://174.138.11.98/sibiusio
http://194.180.191.44/sibiusio
http://91.219.236.120/sibiusio
https://t.me/sibiusio
Signatures
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup_Pass_1234.exedescription pid process target process PID 1516 set thread context of 2376 1516 Setup_Pass_1234.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4904 2376 WerFault.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Setup_Pass_1234.exedescription pid process target process PID 1516 wrote to memory of 2376 1516 Setup_Pass_1234.exe AppLaunch.exe PID 1516 wrote to memory of 2376 1516 Setup_Pass_1234.exe AppLaunch.exe PID 1516 wrote to memory of 2376 1516 Setup_Pass_1234.exe AppLaunch.exe PID 1516 wrote to memory of 2376 1516 Setup_Pass_1234.exe AppLaunch.exe PID 1516 wrote to memory of 2376 1516 Setup_Pass_1234.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup_Pass_1234.exe"C:\Users\Admin\AppData\Local\Temp\Setup_Pass_1234.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 8163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2376 -ip 23761⤵