Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d

  • Size

    379KB

  • Sample

    220908-m1jymabefl

  • MD5

    06f7b1a3af6a67252c707f260a031c57

  • SHA1

    3fee890a57a4fd651f9263472fa73115bbfe03d5

  • SHA256

    c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d

  • SHA512

    6925ef7f3943890650c3250489eda05e16c62f76212a6329790f9e3d013a08e765e739806f78f19429a2fa045ab82cd6078d6d545e7144a554cd46261ea740fe

  • SSDEEP

    6144:KbI21ai1wnZ0KtvusH5n4NGSaSVLKlJmqork5jruMJ3Pqe9Pcr6J:6IXi1wZ0KtvusH5n4NGSaSVutruMJ3Nj

Score
10/10
raccoon654b3e7f2d409dcde795b5d2dacf4955discoveryevasionexploitspywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

654b3e7f2d409dcde795b5d2dacf4955

C2

http://46.249.58.152/

rc4.plain

Targets

    • Target

      c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d

    • Size

      379KB

    • MD5

      06f7b1a3af6a67252c707f260a031c57

    • SHA1

      3fee890a57a4fd651f9263472fa73115bbfe03d5

    • SHA256

      c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d

    • SHA512

      6925ef7f3943890650c3250489eda05e16c62f76212a6329790f9e3d013a08e765e739806f78f19429a2fa045ab82cd6078d6d545e7144a554cd46261ea740fe

    • SSDEEP

      6144:KbI21ai1wnZ0KtvusH5n4NGSaSVLKlJmqork5jruMJ3Pqe9Pcr6J:6IXi1wZ0KtvusH5n4NGSaSVutruMJ3Nj

    Score
    10/10
    raccoon654b3e7f2d409dcde795b5d2dacf4955discoveryevasionexploitspywarestealer

    • Modifies security service

      evasion

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2
T1031

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks