General

  • Target

    be9c8c945c0574b5f21df0b8166342460b551d17448b85cbb07577b4045e2991

  • Size

    20MB

  • Sample

    220508-c5ymgagbam

  • MD5

    787a4f7e16835b51fb70be27e45eda71

  • SHA1

    e70fe56b79d7f52ad461b4399899c6eef7bb0a43

  • SHA256

    be9c8c945c0574b5f21df0b8166342460b551d17448b85cbb07577b4045e2991

  • SHA512

    492b40da5897dbf108c3d4bece162d9abc7881c202527c5a915a9dc42e88bdd04b184ed1baf3f293e977c9e69d60458dd12855697e5a6dbd0bb5a544f6e7af8d

Malware Config

Extracted

Family

raccoon

Botnet

c763e433ef51ff4b6c545800e4ba3b3b1a2ea077

Attributes
  • url4cnc

    https://telete.in/jbitchsucks

rc4.plain
rc4.plain

Targets

    • Target

      be9c8c945c0574b5f21df0b8166342460b551d17448b85cbb07577b4045e2991

    • Size

      20MB

    • MD5

      787a4f7e16835b51fb70be27e45eda71

    • SHA1

      e70fe56b79d7f52ad461b4399899c6eef7bb0a43

    • SHA256

      be9c8c945c0574b5f21df0b8166342460b551d17448b85cbb07577b4045e2991

    • SHA512

      492b40da5897dbf108c3d4bece162d9abc7881c202527c5a915a9dc42e88bdd04b184ed1baf3f293e977c9e69d60458dd12855697e5a6dbd0bb5a544f6e7af8d

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Raccoon Stealer Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks