Overview

overview

10

Static

static

f0d8c6e92f...10.exe

windows7-x64

1

f0d8c6e92f...10.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f0d8c6e92f141e5dfbab79ac231f8a6c7282fbe87c63a3e1d880dc8218491910

  • Size

    123KB

  • Sample

    220802-ja7p8adfcn

  • MD5

    ebf901ec8366ae1581cd4305d027f23d

  • SHA1

    19c4686f2fdc98fbdc9728cd30e0e54e3c1a9bd4

  • SHA256

    02a7ed2121f3fcad722f0c4fa3bea721c023c147401c06ce98906295f7fca434

  • SHA512

    8fe81d5580c17a14d6c526f64305d049971bd9b21c2121a1dfe3a9de3cfff6c3e124cbe1abc45364f71fb83c45c9e013ecbe137f20cf57ede7912ae0f6ca3acc

Score
10/10
raccoonsocelars125a9422607402ad773f580d72e3170bafb5c633c4650f69312baef49db9dfa4discoveryspywarestealervmprotect

Malware Config

Extracted

Family

raccoon

Botnet

125a9422607402ad773f580d72e3170b

C2

http://91.242.229.142/

rc4.plain

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

C2

http://77.73.132.84

rc4.plain

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Targets

    • Target

      f0d8c6e92f141e5dfbab79ac231f8a6c7282fbe87c63a3e1d880dc8218491910

    • Size

      172KB

    • MD5

      2a01bf6696244c499232e4e01e2103a7

    • SHA1

      364bac98473f938d8e0eff95106b21206818a9d7

    • SHA256

      f0d8c6e92f141e5dfbab79ac231f8a6c7282fbe87c63a3e1d880dc8218491910

    • SHA512

      fe313802bd9b81c86f10e9949a7572786ee24ea4921bef6072a74954f61de08476c412e5bbc90b8ae2c5a36e81c483aaafeba3e87c3b8a4c8a348a0aa902c9c1

    Score
    10/10
    raccoonsocelars125a9422607402ad773f580d72e3170bafb5c633c4650f69312baef49db9dfa4discoveryspywarestealervmprotect

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks