General

  • Target

    c6ad97890dc966035ef6555016dd28e424472288c972d7c98a273951a33cb18b

  • Size

    3.2MB

  • Sample

    220511-3al83acfd9

  • MD5

    e5f1ff0079899d0074b78e701e7ec8fe

  • SHA1

    e9857d834d20f5909ea4a88ed58eb2bd0eceaa8b

  • SHA256

    c6ad97890dc966035ef6555016dd28e424472288c972d7c98a273951a33cb18b

  • SHA512

    c980906d9ff1ea9229e50d000e99bea1e4ced00c17e3aa632d904334cd2f6ee05e89ad9d02b6782fc7b056139e382a9c986c7528632122ab347d5d488aeec5c4

Malware Config

Extracted

Family

raccoon

Botnet

7cd91e2e3ebf0259fe71e3eab9e1666577e3d950

Attributes
  • url4cnc

    https://telete.in/hcatknife

rc4.plain
rc4.plain

Targets

    • Target

      c6ad97890dc966035ef6555016dd28e424472288c972d7c98a273951a33cb18b

    • Size

      3.2MB

    • MD5

      e5f1ff0079899d0074b78e701e7ec8fe

    • SHA1

      e9857d834d20f5909ea4a88ed58eb2bd0eceaa8b

    • SHA256

      c6ad97890dc966035ef6555016dd28e424472288c972d7c98a273951a33cb18b

    • SHA512

      c980906d9ff1ea9229e50d000e99bea1e4ced00c17e3aa632d904334cd2f6ee05e89ad9d02b6782fc7b056139e382a9c986c7528632122ab347d5d488aeec5c4

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Raccoon Stealer Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Tasks