General

  • Target

    2aba51a94cffeab90191cc734940b87a06bcf84611d666dd80671c1ea0b9fbf5

  • Size

    3MB

  • Sample

    220705-tjcljsagan

  • MD5

    bde658028be8d6983c7212e1f550be81

  • SHA1

    0be7bb34651d1226cd2030ef495316536540668e

  • SHA256

    2aba51a94cffeab90191cc734940b87a06bcf84611d666dd80671c1ea0b9fbf5

  • SHA512

    836af2244eda3ee6922c091604a24c89f42499a7cb1cf9194a0ab73b01232132abc4a616a326fdab2548cb614a65ea539d49f43d083dee54848f54181150b855

Malware Config

Extracted

Family

raccoon

Botnet

c4376f037b1703b305ca5fb81f6ffc21

C2

http://45.8.144.53/

http://77.91.73.154/

rc4.plain
rc4.plain

Targets

    • Target

      2aba51a94cffeab90191cc734940b87a06bcf84611d666dd80671c1ea0b9fbf5

    • Size

      3MB

    • MD5

      bde658028be8d6983c7212e1f550be81

    • SHA1

      0be7bb34651d1226cd2030ef495316536540668e

    • SHA256

      2aba51a94cffeab90191cc734940b87a06bcf84611d666dd80671c1ea0b9fbf5

    • SHA512

      836af2244eda3ee6922c091604a24c89f42499a7cb1cf9194a0ab73b01232132abc4a616a326fdab2548cb614a65ea539d49f43d083dee54848f54181150b855

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • ModiLoader Second Stage

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Tasks