General
-
Target
68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d
-
Size
181KB
-
Sample
220803-esb9tagafr
-
MD5
0e67ced6b45068364af5390fbd5b9a5f
-
SHA1
855c6894c29034e52b281a30efa26fa552cbd06a
-
SHA256
68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d
-
SHA512
558c15769af80e6c2fe78e00f50ba65a1d086491be20bd37be12529bd0f07f5cb3834c9ec34642de8addd58f9b504fb5d8a488d4055b38238460e461ffc31b58
Static task
static1
Malware Config
Extracted
raccoon
125a9422607402ad773f580d72e3170b
http://91.242.229.142/
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d
-
Size
181KB
-
MD5
0e67ced6b45068364af5390fbd5b9a5f
-
SHA1
855c6894c29034e52b281a30efa26fa552cbd06a
-
SHA256
68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d
-
SHA512
558c15769af80e6c2fe78e00f50ba65a1d086491be20bd37be12529bd0f07f5cb3834c9ec34642de8addd58f9b504fb5d8a488d4055b38238460e461ffc31b58
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon Stealer payload
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-