Overview

overview

10

Static

static

7

C3Setup-Pa...ck.exe

windows7-x64

10

C3Setup-Pa...ck.exe

windows10-2004-x64

10

C3Setup-Pa...up.exe

windows7-x64

10

C3Setup-Pa...up.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C3Setup-Password-123.rar

  • Size

    10.0MB

  • Sample

    220925-nnnlqafgaq

  • MD5

    9f09bb54f4ce7a18568436c8f81762ef

  • SHA1

    dc94ff04b500740cab45d3b7fa9aad89c0bbaece

  • SHA256

    20b98984cf708f574e15cd7ca54af8144f70492427cdd234b3a3fdd3175ac83f

  • SHA512

    1efe4e880a96274024da94e636e7dae73be3261b95f53b4724951f0c42fe21dbbac7d9baece14c34cd87202c932435c63fd45ebeab7f5902b75a88cc202e48c3

  • SSDEEP

    196608:1DTxeXQmeRV5zsaZ0XYLXUpsLmOUP6KyRXzwHbDTRSFPEkfh:VTxeXd6dsflpoc6KyeYF8k5

Score
10/10
raccoonvidar1281ae0c92bd5e48b563012900d8437d590bdiscoveryevasionpersistencespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

raccoon

Botnet

ae0c92bd5e48b563012900d8437d590b

C2

http://45.142.215.91/

http://5.182.36.233/
rc4.plain

Extracted

Family

vidar

Version

54.6

Botnet

1281

C2

https://t.me/parampampamsss

Attributes
  • profile_id

    1281

Targets

    • Target

      C3Setup-Password-123/FullSetup-Crack.exe

    • Size

      373.3MB

    • MD5

      bd1bb2b71f6025a6729d01fc3af63520

    • SHA1

      8442785cb73204df876827798ae20d6e4039cf0e

    • SHA256

      480b2368794c0de14154d86500b63e1bc1c3b8dd4ca02df24108ef04d5c3d5c8

    • SHA512

      16f5feaa942ae878ce694b12be5e4956461359133211da7aaf44df9d4c725316f38f827e5eeebd0d663d0653d579066a6b285c29ddbf9f8c8e7caee3d77e2ec8

    • SSDEEP

      98304:DjKzEfJGli3D5OX/grVTxoxZg+B1RvLeupA:DOSJ53anB1Rv1

    Score
    10/10
    raccoonae0c92bd5e48b563012900d8437d590bdiscoveryevasionspywarestealerthemidatrojanupx

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      C3Setup-Password-123/Pre-Activated-Setup.exe

    • Size

      374.0MB

    • MD5

      2636eb5b7c8d53e2551425c0c22d21b9

    • SHA1

      b650def88d225a307a94050e51d49e959ff64faa

    • SHA256

      0767a2852b98f41b963776333dc0fa1b5c01842ec5cb91857d698b89f4d65275

    • SHA512

      459e3b97daa4d615cc3325f4f4c9d4284ec4a08892c41b048078d409a8407ffb8f604f2aebd61bd0351faa6b61918c95c33f624156c8c73ba8203f2862c4e62c

    • SSDEEP

      196608:SLSIzEi+FtEVnZ6KIOFgKPzERkf/ZNxc:SLSI4i+DEJZX7X/

    Score
    10/10
    vidar1281discoveryspywarestealerpersistence

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Modify Registry

3
T1112

Credential Access

Credentials in Files

5
T1081

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

8
T1082

Lateral Movement

Collection

Data from Local System

5
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks