General

  • Target

    ee933b2ba59c83e93c1094ee73c0b1f49725779391240dfd45aa9facdf1c98e6

  • Size

    153KB

  • Sample

    220907-tf394aceb4

  • MD5

    04d1bc35237a7b8f9e38243a268d22c0

  • SHA1

    f368a73c35fb7f47ac99cb693f2532730e75129d

  • SHA256

    ee933b2ba59c83e93c1094ee73c0b1f49725779391240dfd45aa9facdf1c98e6

  • SHA512

    b43fa45eec454e14eadffd59c4021d961ee4ea2a5db557d788d25a6b1a3feb7a7764bbebd64f90beac9e4213282e5d492c4d2158cc10d5872d3ac6409d52c065

  • SSDEEP

    3072:peTxD8Rwh3iTLlFjXoPkbBNop8zCtj6s6j5Kz/+zJUmaRibX9p:p+D53ivvS8+tj6J0z00ibtp

Malware Config

Extracted

Family

raccoon

Botnet

654b3e7f2d409dcde795b5d2dacf4955

C2

http://46.249.58.152/

rc4.plain

Targets

    • Target

      ee933b2ba59c83e93c1094ee73c0b1f49725779391240dfd45aa9facdf1c98e6

    • Size

      153KB

    • MD5

      04d1bc35237a7b8f9e38243a268d22c0

    • SHA1

      f368a73c35fb7f47ac99cb693f2532730e75129d

    • SHA256

      ee933b2ba59c83e93c1094ee73c0b1f49725779391240dfd45aa9facdf1c98e6

    • SHA512

      b43fa45eec454e14eadffd59c4021d961ee4ea2a5db557d788d25a6b1a3feb7a7764bbebd64f90beac9e4213282e5d492c4d2158cc10d5872d3ac6409d52c065

    • SSDEEP

      3072:peTxD8Rwh3iTLlFjXoPkbBNop8zCtj6s6j5Kz/+zJUmaRibX9p:p+D53ivvS8+tj6J0z00ibtp

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks