General

  • Target

    8998bfb3dbc6c70d82afc746d6be48c4.exe

  • Size

    452KB

  • Sample

    220829-n4kvrsggek

  • MD5

    8998bfb3dbc6c70d82afc746d6be48c4

  • SHA1

    4f8796db766bd41370d87976e097a6dd06338a03

  • SHA256

    b140d23cad4bacb53d3dab6b15828129b51cbc77bb9ba0297bed5d5323b9781e

  • SHA512

    6e353bd8a754d257a7cca686f941823b775d49cc535f07bfed19923b839229fd2de3d11e30eeea56a8ab45892fe376b49ffc6a040d32c6afd21707ff945573f3

  • SSDEEP

    12288:f8l4FQOWYQvd4mEI7zUCwGeHPRVIrkU8+Th:lQhYqdsZVIrkq

Malware Config

Extracted

Family

raccoon

Botnet

77602e57d19524a205ffcb84db4a013b

C2

http://45.67.35.151/

rc4.plain

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=Fate1337

Wallets

DKqTfjWcxULLMPhvUyKdtReRtNEZ4HSAgD

r3bB4NXmog8ozTuJpPBjYpPMH6XKa9QTY5

0x379844563B2947bCf8Ee7660d674E91704ba85cc

Xbd8YLpgw4ozYe6B8t4KF7oFmEgFCaeR2F

TVkpWWHjd2ddXYVGw8E7YsowfbYaCizwrY

t1SH4jS9wURQMDhEvyAAQSfYDC8hEawBdrK

GCCFDFVYXWTUSB3JIA6NBJNVYTMBD2MYTNVHF3G7QMQXY3PYSXMYGNKF

45vYBVpWhcrBu98FM2dXZUbXBhywVsck6Vba7PKY86ms6QJ185FFWuhR41cCyr8pfJbNNS5EbDPVkaJPByxUHuFxCsL9iBu

qqxm73rvrlh7zxhhlkalwadsqgte9d7lfc072hn2ra

12CmRkqqDVeA1sd5um6eKosttoPPZktLnm

0x675585AcFb13A721f00Da26cB61d31210C6eE932

LfWNvpj1q8ULhaEN4MhSQRhKQqfwUvXjPV

ronin:d9b303aA47179A673FED60dD34559dAF133BC149

79241794097

+79889916188

+79889916188

https://steamcommunity.com/tradeoffer/new/?partner=896820235&token=FIQwFTT8

LP1oSHdQ3kdgrWnPvB5XtuBLZaMq9JMoWt

ltc1qpdwhnnvrankvmksa98dpswkfe825yfd8690jfe

bc1qngt9pchlwak6rzc37ez05sfhzr8dnyupu7e769

Targets

    • Target

      8998bfb3dbc6c70d82afc746d6be48c4.exe

    • Size

      452KB

    • MD5

      8998bfb3dbc6c70d82afc746d6be48c4

    • SHA1

      4f8796db766bd41370d87976e097a6dd06338a03

    • SHA256

      b140d23cad4bacb53d3dab6b15828129b51cbc77bb9ba0297bed5d5323b9781e

    • SHA512

      6e353bd8a754d257a7cca686f941823b775d49cc535f07bfed19923b839229fd2de3d11e30eeea56a8ab45892fe376b49ffc6a040d32c6afd21707ff945573f3

    • SSDEEP

      12288:f8l4FQOWYQvd4mEI7zUCwGeHPRVIrkU8+Th:lQhYqdsZVIrkq

    • Allcome

      A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

              Privilege Escalation

                Tasks