General
-
Target
51910c96d2ad9825dc9e4928932c35f7db9fbada74aabf96a9c66cb46e5b70eb
-
Size
12.8MB
-
Sample
220427-rwwh3sdccn
-
MD5
95bff79834c48d6eedad1322e1fd6983
-
SHA1
77cf6f567dab057cbecb0372c17c1d3a51337d7c
-
SHA256
51910c96d2ad9825dc9e4928932c35f7db9fbada74aabf96a9c66cb46e5b70eb
-
SHA512
db3b571d1336b92bae23b1ba3bb9643157e3f2e97f7e2b723957e1c9022611dc2af721ecf8beabeaed5cf432343c062894e7e82128c16877bcfdd85beebdcf3f
Malware Config
Extracted
raccoon
1.7.1-hotfix
0422feff6c251ddfdca83125d9b8ae570db3b316
-
url4cnc
https://telete.in/jbitchsucks
Extracted
raccoon
c763e433ef51ff4b6c545800e4ba3b3b1a2ea077
-
url4cnc
https://telete.in/jbitchsucks
Targets
-
-
Target
51910c96d2ad9825dc9e4928932c35f7db9fbada74aabf96a9c66cb46e5b70eb
-
Size
12.8MB
-
MD5
95bff79834c48d6eedad1322e1fd6983
-
SHA1
77cf6f567dab057cbecb0372c17c1d3a51337d7c
-
SHA256
51910c96d2ad9825dc9e4928932c35f7db9fbada74aabf96a9c66cb46e5b70eb
-
SHA512
db3b571d1336b92bae23b1ba3bb9643157e3f2e97f7e2b723957e1c9022611dc2af721ecf8beabeaed5cf432343c062894e7e82128c16877bcfdd85beebdcf3f
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-