General
-
Target
ProtonVPN_5.10.00.zip
-
Size
7.2MB
-
Sample
220712-reybcadbcn
-
MD5
47461c560e240275baf5b0d31eb533cd
-
SHA1
ed5c927ef7f55b21a9eaa9fff120fd0a1a63ddc3
-
SHA256
2a6bcd0f64a4a343b33b6c43ecbd6948f1513459d6811d8febb6b72056a36e86
-
SHA512
af7ede13bd9a1437cdd15ee50f16c68dd758018a4556411d8008ce72ebb6f9a8f70b00e735908ded0fc4590a5568367d0bb77d17bf9503053879ad8875a25b2a
Static task
static1
Behavioral task
behavioral1
Sample
ProtonVPN 5.10.00.exe
Resource
win7-20220414-en
Malware Config
Extracted
raccoon
21f08585870c425fe2ebf8217377616a
http://142.132.229.12/
http://164.92.172.4/
Targets
-
-
Target
ProtonVPN 5.10.00.exe
-
Size
399.7MB
-
MD5
3ace2504f0eddb23f2d9f783c65727c8
-
SHA1
2c6da9a828c5c32132cfbd6991a5f414a6e17dcd
-
SHA256
5665013064b9e8061254b8d831c89997885bc03627d10326418db5b961d49e7c
-
SHA512
2e967f22dfbca2f2d311e1686d63f84f92395ffc76293e4cba1952b11e8005ee4fb597cee67478896a16dc2b20da99a09c82d7bbd8b7382857a68382f3932c47
-
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
-
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-