Overview

overview

10

Static

static

7

Full-Setup...ck.exe

windows7-x64

9

Full-Setup...ck.exe

windows10-2004-x64

10

Full-Setup...up.exe

windows7-x64

9

Full-Setup...up.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Full-Setup-Password-123.rar

  • Size

    11.0MB

  • Sample

    220725-qpndfseedn

  • MD5

    0eb210a83fa4f03b17708294d08228f9

  • SHA1

    019e823ea5a01c51ccef50bf06b6350b9a4a2df2

  • SHA256

    f3d5f74f47f5d48083167e0b918abfd66d9297f548c1a741c7a98eeb78f99f93

  • SHA512

    08afa464cdbb7d8407ed96f47bd42455046b78f4f20267910a995b3fbd32018ac25eeaccfa64d4657884d4c05b2129e358180ae8677dea40e657f2b3c8c8e175

Score
10/10
raccoondiscoveryevasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      Full-Setup-Password-123/FullSetup-Crack.exe

    • Size

      393.6MB

    • MD5

      0ee2fbbeca60e7702c31a5e8f19b5def

    • SHA1

      058acb6544c44f917637dca8ef807670b5710a0d

    • SHA256

      1c335a259e7440b6a33007f92da124512b16c217f46b4680e35066eb56c9fbf1

    • SHA512

      829de71930aaf5d6f8e15aca4694f0f2ceba6163ea10f92ac1e01fb819b4056349b1e50e57d98ee845e5ad088b752b7aaf62072e6807815fd220dd603804fa3b

    Score
    10/10
    evasiontrojanraccoondiscoveryspywarestealer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Full-Setup-Password-123/Pre-ActivatedSetup.exe

    • Size

      394.6MB

    • MD5

      3f5be2df1e9b82907d2a4c2ef35d4c77

    • SHA1

      f9d19490bdb7aeb386c2668ad0ffa70d6e17c910

    • SHA256

      3765b96b74793a1d255c903ef7a32c1cfadb2a24997aa7b0b896665d1cbf6b7f

    • SHA512

      4ae4ae06a29022f0ce8aef2801cb7488a8ffb55e2f0f59a91ef52320df63eb1fd350da41e6ae3e6e01954072c16aa3cd95526fdd3e017e01d44de32f9b0e228f

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks