General
-
Target
0bd42b1d43c4df140cde9354d078f527.exe
-
Size
4.5MB
-
Sample
220927-avmfcaddbl
-
MD5
0bd42b1d43c4df140cde9354d078f527
-
SHA1
22dfa323960c4a7bdf499e169a4a060c0c58afa6
-
SHA256
79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863
-
SHA512
d68467de55488d5274f00023952926cebe13caf9504d3c6b2c61532e9f9d739c79652a79e5422b333f4ff4e790d22eab8df33e6aca2dc66ee3e21f3e2703ac9a
-
SSDEEP
98304:nkLlEy5jWOOfZhed1GQqCVjHjrGxu1xZ73Oe9WX:clHWEzVjHQQj73OmWX
Malware Config
Extracted
http://80.92.205.35/hfile.bin
Extracted
raccoon
9b19cf60d9bdf65b8a2495aa965456c3
http://94.131.107.206
Targets
-
-
Target
0bd42b1d43c4df140cde9354d078f527.exe
-
Size
4.5MB
-
MD5
0bd42b1d43c4df140cde9354d078f527
-
SHA1
22dfa323960c4a7bdf499e169a4a060c0c58afa6
-
SHA256
79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863
-
SHA512
d68467de55488d5274f00023952926cebe13caf9504d3c6b2c61532e9f9d739c79652a79e5422b333f4ff4e790d22eab8df33e6aca2dc66ee3e21f3e2703ac9a
-
SSDEEP
98304:nkLlEy5jWOOfZhed1GQqCVjHjrGxu1xZ73Oe9WX:clHWEzVjHQQj73OmWX
Score10/10-
Modifies Windows Defender notification settings
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-