General
-
Target
7dcc9fa5e11e42d79adafaaba6e97f179738a9cedd9db58626ff78f888fb6494
-
Size
124KB
-
Sample
220802-pppqvagaal
-
MD5
bdfc07c0e99a25f785ac356de0a17241
-
SHA1
f0e2b95ec34ef4d3ebe816f9f5ecdad449a73a1a
-
SHA256
aaf70271d8cbc2838d597a080d6d46c8bdb9932e8776f4d87f7be7198c22381b
-
SHA512
46863a9c092797c3944ee960c0c4601f22c0e7987a536e615f5ab4560c1d0b3dbad0821be89e8f43034cf5681335842807b0837ea2539137c5f41e288fb1e370
Static task
static1
Behavioral task
behavioral1
Sample
7dcc9fa5e11e42d79adafaaba6e97f179738a9cedd9db58626ff78f888fb6494.exe
Resource
win7-20220718-en
Malware Config
Extracted
raccoon
125a9422607402ad773f580d72e3170b
http://91.242.229.142/
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
7dcc9fa5e11e42d79adafaaba6e97f179738a9cedd9db58626ff78f888fb6494
-
Size
173KB
-
MD5
b08ac18cdfd80fce452857cd4cc7f872
-
SHA1
2dc1ff6552a5c615b30e5d28aba474e811f4dab6
-
SHA256
7dcc9fa5e11e42d79adafaaba6e97f179738a9cedd9db58626ff78f888fb6494
-
SHA512
f56ecf66978d296f36777fa6b5a38ea553fa388a4b5ebe718bd9385a328182ee0af79daf4f1620b40da7300b3cee4b0fb45946525f8c636d512a19ce266daaf1
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon Stealer payload
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-