Overview

overview

10

Static

static

Installer.exe

windows7-x64

10

Installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Installer.exe

  • Size

    1000KB

  • Sample

    220831-c6v8qsfgbj

  • MD5

    6ffb07e3414cd88275cd4c3b8bbe7b5e

  • SHA1

    0b5f524c0478d84860d16c786358ebda166a5ee1

  • SHA256

    f93521d653a724f562be130f117f3e7ee1b87eeab357f3c5695812a4a9ea73a5

  • SHA512

    ec9f389f258b2553b52c68ea602c55aacd0d1ed052b17d63b7ca5324b2bccfab97e843d540baea9628f15dc9a798b58512218921373f535815093351f2388885

  • SSDEEP

    12288:jylN+SwBxYRjRGLFA8gpO4Xspi5n/IxrcBWQzf7x:jDSw/RsWe1W4

Score
10/10
raccoonxmrigytstealer4689c837190317f8309bc798897decf7minerpersistencespywarestealerupx

Malware Config

Extracted

Family

raccoon

Botnet

4689c837190317f8309bc798897decf7

C2

http://91.234.254.126/

rc4.plain

Targets

    • Target

      Installer.exe

    • Size

      1000KB

    • MD5

      6ffb07e3414cd88275cd4c3b8bbe7b5e

    • SHA1

      0b5f524c0478d84860d16c786358ebda166a5ee1

    • SHA256

      f93521d653a724f562be130f117f3e7ee1b87eeab357f3c5695812a4a9ea73a5

    • SHA512

      ec9f389f258b2553b52c68ea602c55aacd0d1ed052b17d63b7ca5324b2bccfab97e843d540baea9628f15dc9a798b58512218921373f535815093351f2388885

    • SSDEEP

      12288:jylN+SwBxYRjRGLFA8gpO4Xspi5n/IxrcBWQzf7x:jDSw/RsWe1W4

    Score
    10/10
    raccoonytstealer4689c837190317f8309bc798897decf7spywarestealerupxxmrigminerpersistence

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • YTStealer

      YTStealer is a malware designed to steal YouTube authentication cookies.

      stealerytstealer

    • YTStealer payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks