Overview

overview

10

Static

static

7

AppSetup/Setup.exe

windows7-x64

10

AppSetup/Setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AppSetup.zip

  • Size

    4.5MB

  • Sample

    220920-v3wdfahfcp

  • MD5

    865c31202e362a06bf9b8016aecf1ed6

  • SHA1

    7db7515e35ba019bbe4b2d2a324e57ca083ab80b

  • SHA256

    8d58f4e7070f2ad8bfff1a05f6ade61113754ddaf52e93eb8c3622eb5a572615

  • SHA512

    95e2926846f118c795065eeccedd0ca13a03682cd209ed0b845a6fa4186113cabf3fc989958847ed973a4391e0519103b5abb1e07a4f461d45bf52b4f6f14f20

  • SSDEEP

    98304:xEhbRjNK16vxp403Rdi8duhNr8Br8g96zPUCMPfx:mhbRNK1Ka03RdixXIm7+

Score
10/10
raccoon53b091e45e3b45faf54ed22a972aa360agilenetpersistencespywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

53b091e45e3b45faf54ed22a972aa360

C2

http://168.100.9.109/

rc4.plain

Targets

    • Target

      AppSetup/Setup.exe

    • Size

      700.0MB

    • MD5

      b494ad739d58aba5ce48c05a29215496

    • SHA1

      4e18330d3779e3c13b043d2090e6a0ce1571668a

    • SHA256

      6c7e2a5a6b4fcad8591cf0ba6854333d44d2be2724d0922f374791eb15e94d89

    • SHA512

      2747aa2ab4a8ea2ada344d2e4a9bbf4f1d15893b4fbfd4a84dbf08d7a6d90517445bf5dc0569299e4b9a2edd17537382e5a9db6df7bb3c1b39eb1858ef17ec8b

    • SSDEEP

      98304:Rv578/6bPZsGjNT46RutNpYdFU8xgFLqmMLfN:Rv578/iaGjNT493WgDo

    Score
    10/10
    raccoon53b091e45e3b45faf54ed22a972aa360agilenetpersistencestealerspyware

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks