General
-
Target
e87f68ad84b37f872821019b6aa640b768a7f7200a3ccd636a36a72ea11af815
-
Size
123KB
-
Sample
220802-krvbwsebhm
-
MD5
53bd563d46008aa5fb98fa84f16cdb2f
-
SHA1
7c6c785823f90ccc5d5a1da2bf7da4f80db6c947
-
SHA256
dd23d2274508dd4bfb2d2522853a42e773de7dabbe623bc4a97f0533d935903a
-
SHA512
f439bc624f08f6a1ad045304a2373b187b4f6705ca6d635dc1cbf6ca5ecb4a3d3c6d53448ebab381479fe45d03b06ce02967071b1f67af4286cd46fb6143f85a
Static task
static1
Behavioral task
behavioral1
Sample
e87f68ad84b37f872821019b6aa640b768a7f7200a3ccd636a36a72ea11af815.exe
Resource
win7-20220718-en
Malware Config
Extracted
raccoon
125a9422607402ad773f580d72e3170b
http://91.242.229.142/
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
e87f68ad84b37f872821019b6aa640b768a7f7200a3ccd636a36a72ea11af815
-
Size
172KB
-
MD5
a4ab42af8f9542f3c836af848ab120ab
-
SHA1
9873de1d285895a3bfc6b1dc333c10e9b6b95512
-
SHA256
e87f68ad84b37f872821019b6aa640b768a7f7200a3ccd636a36a72ea11af815
-
SHA512
63eaa248410d96acded3e1026921e0b2730b6adda5ab24da2eb1bf64955e645e8d42aa66031b6ff59d4791c15de60852c6cbadb7b8d7ccab2a96a87d485336d6
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon Stealer payload
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-