Overview

overview

10

Static

static

7dcc9fa5e1...94.exe

windows7-x64

1

7dcc9fa5e1...94.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7dcc9fa5e11e42d79adafaaba6e97f179738a9cedd9db58626ff78f888fb6494

  • Size

    124KB

  • Sample

    220802-pppqvagaal

  • MD5

    bdfc07c0e99a25f785ac356de0a17241

  • SHA1

    f0e2b95ec34ef4d3ebe816f9f5ecdad449a73a1a

  • SHA256

    aaf70271d8cbc2838d597a080d6d46c8bdb9932e8776f4d87f7be7198c22381b

  • SHA512

    46863a9c092797c3944ee960c0c4601f22c0e7987a536e615f5ab4560c1d0b3dbad0821be89e8f43034cf5681335842807b0837ea2539137c5f41e288fb1e370

Score
10/10
raccoonsocelars125a9422607402ad773f580d72e3170bspywarestealervmprotect

Malware Config

Extracted

Family

raccoon

Botnet

125a9422607402ad773f580d72e3170b

C2

http://91.242.229.142/

rc4.plain

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Targets

    • Target

      7dcc9fa5e11e42d79adafaaba6e97f179738a9cedd9db58626ff78f888fb6494

    • Size

      173KB

    • MD5

      b08ac18cdfd80fce452857cd4cc7f872

    • SHA1

      2dc1ff6552a5c615b30e5d28aba474e811f4dab6

    • SHA256

      7dcc9fa5e11e42d79adafaaba6e97f179738a9cedd9db58626ff78f888fb6494

    • SHA512

      f56ecf66978d296f36777fa6b5a38ea553fa388a4b5ebe718bd9385a328182ee0af79daf4f1620b40da7300b3cee4b0fb45946525f8c636d512a19ce266daaf1

    Score
    10/10
    raccoonsocelars125a9422607402ad773f580d72e3170bspywarestealervmprotect

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks