General
-
Target
AppSetup.zip
-
Size
4.5MB
-
Sample
220920-v3wdfahfcp
-
MD5
865c31202e362a06bf9b8016aecf1ed6
-
SHA1
7db7515e35ba019bbe4b2d2a324e57ca083ab80b
-
SHA256
8d58f4e7070f2ad8bfff1a05f6ade61113754ddaf52e93eb8c3622eb5a572615
-
SHA512
95e2926846f118c795065eeccedd0ca13a03682cd209ed0b845a6fa4186113cabf3fc989958847ed973a4391e0519103b5abb1e07a4f461d45bf52b4f6f14f20
-
SSDEEP
98304:xEhbRjNK16vxp403Rdi8duhNr8Br8g96zPUCMPfx:mhbRNK1Ka03RdixXIm7+
Behavioral task
behavioral1
Sample
AppSetup/Setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
AppSetup/Setup.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
raccoon
53b091e45e3b45faf54ed22a972aa360
http://168.100.9.109/
Targets
-
-
Target
AppSetup/Setup.exe
-
Size
700.0MB
-
MD5
b494ad739d58aba5ce48c05a29215496
-
SHA1
4e18330d3779e3c13b043d2090e6a0ce1571668a
-
SHA256
6c7e2a5a6b4fcad8591cf0ba6854333d44d2be2724d0922f374791eb15e94d89
-
SHA512
2747aa2ab4a8ea2ada344d2e4a9bbf4f1d15893b4fbfd4a84dbf08d7a6d90517445bf5dc0569299e4b9a2edd17537382e5a9db6df7bb3c1b39eb1858ef17ec8b
-
SSDEEP
98304:Rv578/6bPZsGjNT46RutNpYdFU8xgFLqmMLfN:Rv578/iaGjNT493WgDo
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-