General

  • Target

    c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8

  • Size

    23MB

  • Sample

    220511-24r6qsfahm

  • MD5

    5e09313befea3f8ef5567f724ada60fe

  • SHA1

    48fab70a85e6da34fa0070163f7ea6ac16fc5d37

  • SHA256

    c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8

  • SHA512

    9df529de88a8b8c157f7deac7e3998cca8f0dabeebda58f6dbc6ca3c22970897a0b7a51fab3562462b65de8e7830b3437612ab6ae999b90607007d1ba0c20598

Malware Config

Extracted

Family

raccoon

Botnet

c763e433ef51ff4b6c545800e4ba3b3b1a2ea077

Attributes
  • url4cnc

    https://telete.in/jbitchsucks

rc4.plain
rc4.plain

Targets

    • Target

      c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8

    • Size

      23MB

    • MD5

      5e09313befea3f8ef5567f724ada60fe

    • SHA1

      48fab70a85e6da34fa0070163f7ea6ac16fc5d37

    • SHA256

      c83a43c9645f2716288130f311314b673e66e20084b432ce3b8ce8cdf39782c8

    • SHA512

      9df529de88a8b8c157f7deac7e3998cca8f0dabeebda58f6dbc6ca3c22970897a0b7a51fab3562462b65de8e7830b3437612ab6ae999b90607007d1ba0c20598

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Raccoon Stealer Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Tasks