Malware sandboxing report by Hatching Triage

General

Target

lrPBx4qjVQLL.exe
Size

1MB
Sample

220927-e6hnradfbn
MD5

018dbebc18d0989b6c5a0916a7aeb8ee
SHA1

3d9d22ef47c09230fda8d66945e00e3538f2d975
SHA256

82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
SHA512

a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96
SSDEEP

49152:8N0TnIUbWriymtRAZbUJylRyOuo+ecZTa1gBHXOlr/pQVpu7S/cY:gKnIUbWrJUJy/yOuo/cZTa1cXO/DS/b

Score

10^/10

Malware Config

Extracted

Family	raccoon
Botnet	9b19cf60d9bdf65b8a2495aa965456c3
C2	http://94.131.107.206 http://94.131.107.206
rc4.plain

Extracted

Family	allcome
C2	http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw
Wallets	D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp 0xC4b495c6ef4B61d5757a1e78dE22edC315867C84 XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X 48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6 1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa 0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo ronin:bb375c985bc63d448b3bc14cda06b2866f75e342 +79889916188 +79889916188 +79889916188 MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg 3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7 bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m 89PjhdrngYjeSa8dFeg6q8Sz4BXdrLLP8H8z82eUhTNjPBpTYkr3o6fWnkqng9D5TRaPT4HafXwUTJqcPE8SsbHUK5PM2Qx D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp 0xC4b495c6ef4B61d5757a1e78dE22edC315867C84 XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X 48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6 1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa 0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo ronin:bb375c985bc63d448b3bc14cda06b2866f75e342 +79889916188 +79889916188 +79889916188 MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg 3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7 bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m 89PjhdrngYjeSa8dFeg6q8Sz4BXdrLLP8H8z82eUhTNjPBpTYkr3o6fWnkqng9D5TRaPT4HafXwUTJqcPE8SsbHUK5PM2Qx

Targets

- Target
  
  lrPBx4qjVQLL.exe
- Size
  
  1MB
- MD5
  
  018dbebc18d0989b6c5a0916a7aeb8ee
- SHA1
  
  3d9d22ef47c09230fda8d66945e00e3538f2d975
- SHA256
  
  82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
- SHA512
  
  a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96
- SSDEEP
  
  49152:8N0TnIUbWriymtRAZbUJylRyOuo+ecZTa1gBHXOlr/pQVpu7S/cY:gKnIUbWrJUJy/yOuo/cZTa1cXO/DS/b
Score

10^/10

allcome raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan
- Allcome
  A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
  stealer allcome
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Virtualization/Sandbox Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Allcome

Raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Enumerates connected drives

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2