General

  • Target

    zxcvb.exe

  • Size

    586KB

  • Sample

    220731-f6pmqsahe3

  • MD5

    131a32033cf88976a8df48361b90207d

  • SHA1

    ce260393460fa5d4cbfa17d3329fd33594810add

  • SHA256

    d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

  • SHA512

    120a4ef120c7b2d4c07af7e6418eaf83d7f3d41ba13f41ce2e494f76182c4b07fd16ec2ceaf1937ba3e76ecb9149cc42edba315e818dad09882cf77a62f6c708

Malware Config

Extracted

Family

raccoon

Botnet

8a4fd4b44997ba634230ba5c422ca9f2

C2

http://193.106.191.146/

http://185.215.113.89/

rc4.plain

Extracted

Family

arkei

Botnet

Default

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      zxcvb.exe

    • Size

      586KB

    • MD5

      131a32033cf88976a8df48361b90207d

    • SHA1

      ce260393460fa5d4cbfa17d3329fd33594810add

    • SHA256

      d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

    • SHA512

      120a4ef120c7b2d4c07af7e6418eaf83d7f3d41ba13f41ce2e494f76182c4b07fd16ec2ceaf1937ba3e76ecb9149cc42edba315e818dad09882cf77a62f6c708

    • Arkei

      Arkei is an infostealer written in C++.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon Stealer payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks