General
-
Target
d1bf01090d9ec8523bc3bd0bd9d268e396577fe8a37a85e579b9e5338a15164b
-
Size
123KB
-
Sample
220802-mbzb1sdgd7
-
MD5
d89f38e1616e1fa709356230986149b8
-
SHA1
f0c6611adde809c2d5ce7d71e08b2ed946aa5683
-
SHA256
a76ac3a649cb85ef4fdba6e02940a5bf0e53a811a1ab43daad7a3a08716a67d8
-
SHA512
a47df46ecbcc09882858afded4a4e719c31ac320b720876c2b0e38214e9fd288d7850d6f273e44a4e26cce3441a18ba210a17f60e7f7e94c5d4894a69ad72ae6
Static task
static1
Behavioral task
behavioral1
Sample
d1bf01090d9ec8523bc3bd0bd9d268e396577fe8a37a85e579b9e5338a15164b.exe
Resource
win7-20220718-en
Malware Config
Extracted
raccoon
125a9422607402ad773f580d72e3170b
http://91.242.229.142/
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
d1bf01090d9ec8523bc3bd0bd9d268e396577fe8a37a85e579b9e5338a15164b
-
Size
172KB
-
MD5
228c5ce9970aa77402706d76f99ec6f3
-
SHA1
78d14429a90aa8274be1849a1d7360ab587bd0b6
-
SHA256
d1bf01090d9ec8523bc3bd0bd9d268e396577fe8a37a85e579b9e5338a15164b
-
SHA512
296e94f8078acdf5a8acd564603f96b40047782916f89a30519a8083d4ab82663dd138352b5430a106f6e829620d667afd55ab28ffec573ca08a795d0d3296b1
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon Stealer payload
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-