General
-
Target
9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77
-
Size
340KB
-
Sample
220804-sg9ylahcbr
-
MD5
827c533e6030bf67b53460a3bf20813f
-
SHA1
46a5f78f7e79cd5f39ae76c925bc9ada1243be08
-
SHA256
9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77
-
SHA512
57b45d28994722620d5496a0f267060345d385358dabf7bace2337f8975940d6dc39ea6bf5c677943176f55dc536b7c2bb1013671fa3909235b1bf53e9e07f7f
Static task
static1
Behavioral task
behavioral1
Sample
9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Extracted
raccoon
9ff0d3252fc925e8866300fd0964f332
http://51.195.166.176
Targets
-
-
Target
9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77
-
Size
340KB
-
MD5
827c533e6030bf67b53460a3bf20813f
-
SHA1
46a5f78f7e79cd5f39ae76c925bc9ada1243be08
-
SHA256
9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77
-
SHA512
57b45d28994722620d5496a0f267060345d385358dabf7bace2337f8975940d6dc39ea6bf5c677943176f55dc536b7c2bb1013671fa3909235b1bf53e9e07f7f
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon Stealer payload
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-