Overview

overview

10

Static

static

8b3f715a81...77.lnk

windows7_x64

10

8b3f715a81...77.lnk

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777

  • Size

    532KB

  • Sample

    220701-sanf1shafm

  • MD5

    d6031e2f2a12421a8d908d26843f7c48

  • SHA1

    67bf218cb222d8a77b140523fcbbb9d8f29fe0aa

  • SHA256

    8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777

  • SHA512

    0d732bfb4959affffa6a51a13e0f8d0210e4edf26db6f45a2c4c0b81bbe25a8721e3ff2a2f2cecd55e9eac04d77f8de66e51e94418d8cc9dc2b70889bf07583f

Score
10/10
arkeiraccoon5f3e2ed386ddeccffbb4e34c56fc2efddefaultdiscoveryspywarestealersuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://boundertime.ru/pps.ps1

Extracted

Family

raccoon

Botnet

5f3e2ed386ddeccffbb4e34c56fc2efd

C2

http://193.106.191.146/

http://185.215.113.89/
rc4.plain
rc4.plain

Extracted

Family

arkei

Botnet

Default

Targets

    • Target

      8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777

    • Size

      532KB

    • MD5

      d6031e2f2a12421a8d908d26843f7c48

    • SHA1

      67bf218cb222d8a77b140523fcbbb9d8f29fe0aa

    • SHA256

      8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777

    • SHA512

      0d732bfb4959affffa6a51a13e0f8d0210e4edf26db6f45a2c4c0b81bbe25a8721e3ff2a2f2cecd55e9eac04d77f8de66e51e94418d8cc9dc2b70889bf07583f

    Score
    10/10
    arkeiraccoon5f3e2ed386ddeccffbb4e34c56fc2efddefaultdiscoveryspywarestealersuricata

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

      suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

      suricata

    • suricata: ET MALWARE Generic Stealer Config Download Request

      suricata: ET MALWARE Generic Stealer Config Download Request

      suricata

    • suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

      suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata

    • suricata: ET MALWARE Windows executable base64 encoded

      suricata: ET MALWARE Windows executable base64 encoded

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks