Overview

overview

10

Static

static

lrPBx4qjVQLL.exe

windows7-x64

10

lrPBx4qjVQLL.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lrPBx4qjVQLL.exe

  • Size

    1.5MB

  • Sample

    220927-e6hnradfbn

  • MD5

    018dbebc18d0989b6c5a0916a7aeb8ee

  • SHA1

    3d9d22ef47c09230fda8d66945e00e3538f2d975

  • SHA256

    82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

  • SHA512

    a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

  • SSDEEP

    49152:8N0TnIUbWriymtRAZbUJylRyOuo+ecZTa1gBHXOlr/pQVpu7S/cY:gKnIUbWrJUJy/yOuo/cZTa1cXO/DS/b

Score
10/10
allcomeraccoon9b19cf60d9bdf65b8a2495aa965456c3evasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://94.131.107.206

rc4.plain

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw

Wallets

D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw

r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp

0xC4b495c6ef4B61d5757a1e78dE22edC315867C84

XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME

TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx

t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B

GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X

48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ

qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6

1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa

0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd

LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo

ronin:bb375c985bc63d448b3bc14cda06b2866f75e342

+79889916188

+79889916188

+79889916188

MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC

ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg

3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7

bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m

Targets

    • Target

      lrPBx4qjVQLL.exe

    • Size

      1.5MB

    • MD5

      018dbebc18d0989b6c5a0916a7aeb8ee

    • SHA1

      3d9d22ef47c09230fda8d66945e00e3538f2d975

    • SHA256

      82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

    • SHA512

      a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

    • SSDEEP

      49152:8N0TnIUbWriymtRAZbUJylRyOuo+ecZTa1gBHXOlr/pQVpu7S/cY:gKnIUbWrJUJy/yOuo/cZTa1cXO/DS/b

    Score
    10/10
    allcomeraccoon9b19cf60d9bdf65b8a2495aa965456c3evasionspywarestealerthemidatrojan

    • Allcome

      A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

      stealerallcome

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks