General

  • Target

    056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa

  • Size

    4MB

  • Sample

    220610-y6vg4afbgj

  • MD5

    8b816302b43bc9e9b6ac2c694459a420

  • SHA1

    d52fc1485c86843bd3e4166ebc1ef4f9a1732579

  • SHA256

    056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa

  • SHA512

    a7e429e911af551af026f3a18d5845d1d032d5dbd39af17fec94917368c971682742791adff212c3d36e52d0c682a87a5c5262fc2019690e5f07b259738bac5c

Malware Config

Extracted

Family

raccoon

Botnet

2e76ef3db69c0aaf1af8319ea2bd6e91

C2

http://185.106.94.148/

rc4.plain
rc4.plain

Targets

    • Target

      056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa

    • Size

      4MB

    • MD5

      8b816302b43bc9e9b6ac2c694459a420

    • SHA1

      d52fc1485c86843bd3e4166ebc1ef4f9a1732579

    • SHA256

      056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa

    • SHA512

      a7e429e911af551af026f3a18d5845d1d032d5dbd39af17fec94917368c971682742791adff212c3d36e52d0c682a87a5c5262fc2019690e5f07b259738bac5c

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • suricata: ET MALWARE Generic Stealer Config Download Request

      suricata: ET MALWARE Generic Stealer Config Download Request

    • suricata: ET MALWARE Possible Drive DDoS Check-in

      suricata: ET MALWARE Possible Drive DDoS Check-in

    • suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

      suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

      suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Tasks