General

  • Target

    a3b879761be898f958456279f0ad23686c234643d7ee6f9407d4663bb0869053

  • Size

    21.8MB

  • Sample

    220508-s3dsaabaa8

  • MD5

    944b5f9027c27fb6be138b79429286a2

  • SHA1

    1c33941fe505490833b7691b34ebd3c40f3cee1a

  • SHA256

    a3b879761be898f958456279f0ad23686c234643d7ee6f9407d4663bb0869053

  • SHA512

    d390d84fe7cacd5506c4812e77d2a35314408e6864f73f812a813e51d5f470844deab13125cc0a0d840064ab0a78fe7c691e730c5b0e33ac2952a5191c644333

Malware Config

Extracted

Family

raccoon

Botnet

c763e433ef51ff4b6c545800e4ba3b3b1a2ea077

Attributes
  • url4cnc

    https://telete.in/jbitchsucks

rc4.plain
rc4.plain

Targets

    • Target

      a3b879761be898f958456279f0ad23686c234643d7ee6f9407d4663bb0869053

    • Size

      21.8MB

    • MD5

      944b5f9027c27fb6be138b79429286a2

    • SHA1

      1c33941fe505490833b7691b34ebd3c40f3cee1a

    • SHA256

      a3b879761be898f958456279f0ad23686c234643d7ee6f9407d4663bb0869053

    • SHA512

      d390d84fe7cacd5506c4812e77d2a35314408e6864f73f812a813e51d5f470844deab13125cc0a0d840064ab0a78fe7c691e730c5b0e33ac2952a5191c644333

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Raccoon Stealer Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Tasks