General

  • Target

    4bc0df38f4c850b366c058e3b0e10264d5fa7f900cc436180e8d623e0bce6804

  • Size

    23.9MB

  • Sample

    220516-fvtsbaeea8

  • MD5

    c888b34fa4b656f3e8862f4f3dfa9724

  • SHA1

    64de0b18bdaa471b8cef726dda5ff781314c0876

  • SHA256

    4bc0df38f4c850b366c058e3b0e10264d5fa7f900cc436180e8d623e0bce6804

  • SHA512

    9d7f71b1e3f6e48d8327d56dedddbde36c106a5e35aef31516e90ea53958a37f82974cb9c87590f4cf9231f0b395525a32cd3f52e8d0944892a94996d35c0db2

Malware Config

Extracted

Family

raccoon

Botnet

c763e433ef51ff4b6c545800e4ba3b3b1a2ea077

Attributes
  • url4cnc

    https://telete.in/jbitchsucks

rc4.plain
rc4.plain

Targets

    • Target

      4bc0df38f4c850b366c058e3b0e10264d5fa7f900cc436180e8d623e0bce6804

    • Size

      23.9MB

    • MD5

      c888b34fa4b656f3e8862f4f3dfa9724

    • SHA1

      64de0b18bdaa471b8cef726dda5ff781314c0876

    • SHA256

      4bc0df38f4c850b366c058e3b0e10264d5fa7f900cc436180e8d623e0bce6804

    • SHA512

      9d7f71b1e3f6e48d8327d56dedddbde36c106a5e35aef31516e90ea53958a37f82974cb9c87590f4cf9231f0b395525a32cd3f52e8d0944892a94996d35c0db2

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Raccoon Stealer Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Checks for any installed AV software in registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Security Software Discovery

1
T1063

Tasks