General
-
Target
C3Setup-Password-123.rar
-
Size
10.0MB
-
Sample
220925-nnnlqafgaq
-
MD5
9f09bb54f4ce7a18568436c8f81762ef
-
SHA1
dc94ff04b500740cab45d3b7fa9aad89c0bbaece
-
SHA256
20b98984cf708f574e15cd7ca54af8144f70492427cdd234b3a3fdd3175ac83f
-
SHA512
1efe4e880a96274024da94e636e7dae73be3261b95f53b4724951f0c42fe21dbbac7d9baece14c34cd87202c932435c63fd45ebeab7f5902b75a88cc202e48c3
-
SSDEEP
196608:1DTxeXQmeRV5zsaZ0XYLXUpsLmOUP6KyRXzwHbDTRSFPEkfh:VTxeXd6dsflpoc6KyeYF8k5
Behavioral task
behavioral1
Sample
C3Setup-Password-123/FullSetup-Crack.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
C3Setup-Password-123/FullSetup-Crack.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
C3Setup-Password-123/Pre-Activated-Setup.exe
Resource
win7-20220901-en
Malware Config
Extracted
raccoon
ae0c92bd5e48b563012900d8437d590b
http://45.142.215.91/
http://5.182.36.233/
Extracted
vidar
54.6
1281
https://t.me/parampampamsss
-
profile_id
1281
Targets
-
-
Target
C3Setup-Password-123/FullSetup-Crack.exe
-
Size
373.3MB
-
MD5
bd1bb2b71f6025a6729d01fc3af63520
-
SHA1
8442785cb73204df876827798ae20d6e4039cf0e
-
SHA256
480b2368794c0de14154d86500b63e1bc1c3b8dd4ca02df24108ef04d5c3d5c8
-
SHA512
16f5feaa942ae878ce694b12be5e4956461359133211da7aaf44df9d4c725316f38f827e5eeebd0d663d0653d579066a6b285c29ddbf9f8c8e7caee3d77e2ec8
-
SSDEEP
98304:DjKzEfJGli3D5OX/grVTxoxZg+B1RvLeupA:DOSJ53anB1Rv1
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
C3Setup-Password-123/Pre-Activated-Setup.exe
-
Size
374.0MB
-
MD5
2636eb5b7c8d53e2551425c0c22d21b9
-
SHA1
b650def88d225a307a94050e51d49e959ff64faa
-
SHA256
0767a2852b98f41b963776333dc0fa1b5c01842ec5cb91857d698b89f4d65275
-
SHA512
459e3b97daa4d615cc3325f4f4c9d4284ec4a08892c41b048078d409a8407ffb8f604f2aebd61bd0351faa6b61918c95c33f624156c8c73ba8203f2862c4e62c
-
SSDEEP
196608:SLSIzEi+FtEVnZ6KIOFgKPzERkf/ZNxc:SLSI4i+DEJZX7X/
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-