General
-
Target
dc1a9f6a302906f09f414d81100c6bebcaf8d7342d83f926c7aa6c0812e18374
-
Size
181KB
-
Sample
220802-21pansdgfn
-
MD5
1027d4214c0765f7020317cc2aa342ff
-
SHA1
3cebe169ddfbd3f4ef38335c06d1a3b6575882e3
-
SHA256
dc1a9f6a302906f09f414d81100c6bebcaf8d7342d83f926c7aa6c0812e18374
-
SHA512
dbbb79c88b72e08f3bc5ce4b75b214caa6f080c6915b8bc213a03f9a3c21629fc1c0f5d455847f7ab06a5beaad85cbb7bba208472937e63926d639f5caac2c52
Malware Config
Extracted
raccoon
125a9422607402ad773f580d72e3170b
http://91.242.229.142/
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
dc1a9f6a302906f09f414d81100c6bebcaf8d7342d83f926c7aa6c0812e18374
-
Size
181KB
-
MD5
1027d4214c0765f7020317cc2aa342ff
-
SHA1
3cebe169ddfbd3f4ef38335c06d1a3b6575882e3
-
SHA256
dc1a9f6a302906f09f414d81100c6bebcaf8d7342d83f926c7aa6c0812e18374
-
SHA512
dbbb79c88b72e08f3bc5ce4b75b214caa6f080c6915b8bc213a03f9a3c21629fc1c0f5d455847f7ab06a5beaad85cbb7bba208472937e63926d639f5caac2c52
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer payload
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-