Overview

overview

10

Static

static

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

langs/Hungarian.ps1

windows7-x64

1

langs/Hungarian.ps1

windows10-2004-x64

1

langs/Korean.ps1

windows7-x64

1

langs/Korean.ps1

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    Pass_1234_SetupFile.zip

  • Size

    6.6MB

  • Sample

    220917-pl1nyadgak

  • MD5

    58fd9ee51acce5bf93fcd1843e2a5f50

  • SHA1

    f83c1604f88e7d8198894cc7de67aa3b0b3992b6

  • SHA256

    6bff808ede3ce8a1e176db5f02083b25825e62b079a917aafaa5ac89b4192c1b

  • SHA512

    f54f705cd25fd343e103e5ed8e81af76368c75ab39ccde484f088bcef8dd78c3b8138beeee258e8cfcad5320e2c516304d5e92d0c04d234412a43a80546087a9

  • SSDEEP

    196608:YLQTV93PKEk5UI0YQd/jkhKkQiHmnCQik3CEYv:YefLY3epuKvLSp

Score
10/10
raccoon7cc7e20e8fb40a79ad7a928b913d97acdiscoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

7cc7e20e8fb40a79ad7a928b913d97ac

C2

http://45.89.55.20/

http://94.131.97.52/
rc4.plain

Targets

    • Target

      Setup.exe

    • Size

      410.2MB

    • MD5

      f18562f8c3e1ffd36c5c457efa5ebfc4

    • SHA1

      3028f0e332a4c8a81800459df1e73336044d40e8

    • SHA256

      8da582dd7d6accc244b98451f2cc5354b6dd7a00018c44b3f05aa42bd87a0f9c

    • SHA512

      129b672756b1be3408cb23dfee4fa77af93190992dd8530ffa697cc4adad90b581d28df344d46770b9f38124b43ea2b7c2115ea0984c1c62943191fbbfcee209

    • SSDEEP

      98304:1bqtnNCzWXTssBWjjX8Lu7nZ3kq21ym2j6K1wZPnBEPAW21:1eh8z0sPzVbSUm2t1sPnSoV

    Score
    10/10
    raccoon7cc7e20e8fb40a79ad7a928b913d97acdiscoveryevasionspywarestealertrojan

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      langs/Hungarian.ini

    • Size

      107KB

    • MD5

      7591df7fae4342cbc7a0706e1b28e87b

    • SHA1

      825e88ad498e8713522f5aef3b21ee01d6fa8b41

    • SHA256

      fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d

    • SHA512

      8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4

    • SSDEEP

      3072:UaKBsDgGod8NAH4iyf8kXrLfKgL6YhL+L3yGU:73X

    Score
    1/10
    behavioral3behavioral4

    • Target

      langs/Korean.ini

    • Size

      91KB

    • MD5

      efae0c78be2abe2920c78b9d4785ab45

    • SHA1

      8c0799fb68852cb071bbe260deb4ab357bd5f4ed

    • SHA256

      ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132

    • SHA512

      44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8

    • SSDEEP

      768:wPYhkzQl6qE7rY+xuPAsyKVmq8Ag8lyWqFk5ziCfsg8S+EZNlWJ7lxyBiCWfbMav:HSzQlc7siCmq8AFlBmLfbNA2Nt7osVP

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks