General
-
Target
ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8
-
Size
1.8MB
-
Sample
220802-kzax8adbe8
-
MD5
6dbedbc7004b82e9350e6a27cbe0684a
-
SHA1
ade3b72837acc0f94f21cdee9e81df66b58f2e1b
-
SHA256
ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8
-
SHA512
751d8e4098aa7edd0945460b0d202ffef36a1de5a435ab4ffeed4345b19fd6dbbf20d48cdcd6d452c2692ad0a777629d84f71e249fb0b1347d933fcfe289e80a
Static task
static1
Behavioral task
behavioral1
Sample
ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
http://hyperhyper8.com/welcome
Extracted
raccoon
c4376f037b1703b305ca5fb81f6ffc21
http://74.119.192.73/
http://77.75.230.84/
Targets
-
-
Target
ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8
-
Size
1.8MB
-
MD5
6dbedbc7004b82e9350e6a27cbe0684a
-
SHA1
ade3b72837acc0f94f21cdee9e81df66b58f2e1b
-
SHA256
ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8
-
SHA512
751d8e4098aa7edd0945460b0d202ffef36a1de5a435ab4ffeed4345b19fd6dbbf20d48cdcd6d452c2692ad0a777629d84f71e249fb0b1347d933fcfe289e80a
-
Raccoon Stealer payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-