General
-
Target
8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777
-
Size
532KB
-
Sample
220701-sanf1shafm
-
MD5
d6031e2f2a12421a8d908d26843f7c48
-
SHA1
67bf218cb222d8a77b140523fcbbb9d8f29fe0aa
-
SHA256
8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777
-
SHA512
0d732bfb4959affffa6a51a13e0f8d0210e4edf26db6f45a2c4c0b81bbe25a8721e3ff2a2f2cecd55e9eac04d77f8de66e51e94418d8cc9dc2b70889bf07583f
Static task
static1
Behavioral task
behavioral1
Sample
8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777.lnk
Resource
win7-20220414-en
Malware Config
Extracted
http://boundertime.ru/pps.ps1
Extracted
raccoon
5f3e2ed386ddeccffbb4e34c56fc2efd
http://193.106.191.146/
http://185.215.113.89/
Extracted
arkei
Default
Targets
-
-
Target
8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777
-
Size
532KB
-
MD5
d6031e2f2a12421a8d908d26843f7c48
-
SHA1
67bf218cb222d8a77b140523fcbbb9d8f29fe0aa
-
SHA256
8b3f715a819f1e1050a07948c2c9f4345c29bea4672492514fbb78068d073777
-
SHA512
0d732bfb4959affffa6a51a13e0f8d0210e4edf26db6f45a2c4c0b81bbe25a8721e3ff2a2f2cecd55e9eac04d77f8de66e51e94418d8cc9dc2b70889bf07583f
-
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
-
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
-
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
-
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
-
suricata: ET MALWARE Windows executable base64 encoded
suricata: ET MALWARE Windows executable base64 encoded
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-