General
-
Target
lrPBx4qjVQLL.exe
-
Size
1.5MB
-
Sample
220927-e6hnradfbn
-
MD5
018dbebc18d0989b6c5a0916a7aeb8ee
-
SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975
-
SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
-
SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96
-
SSDEEP
49152:8N0TnIUbWriymtRAZbUJylRyOuo+ecZTa1gBHXOlr/pQVpu7S/cY:gKnIUbWrJUJy/yOuo/cZTa1cXO/DS/b
Malware Config
Extracted
raccoon
9b19cf60d9bdf65b8a2495aa965456c3
http://94.131.107.206
Extracted
allcome
http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw
D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw
r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp
0xC4b495c6ef4B61d5757a1e78dE22edC315867C84
XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME
TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx
t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B
GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X
48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ
qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6
1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa
0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd
LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo
ronin:bb375c985bc63d448b3bc14cda06b2866f75e342
+79889916188
+79889916188
+79889916188
MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC
ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg
3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7
bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m
Targets
-
-
Target
lrPBx4qjVQLL.exe
-
Size
1.5MB
-
MD5
018dbebc18d0989b6c5a0916a7aeb8ee
-
SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975
-
SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
-
SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96
-
SSDEEP
49152:8N0TnIUbWriymtRAZbUJylRyOuo+ecZTa1gBHXOlr/pQVpu7S/cY:gKnIUbWrJUJy/yOuo/cZTa1cXO/DS/b
Score10/10-
Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-