Overview

overview

10

Static

static

lrPBx4qjVQLL.exe

windows7-x64

10

lrPBx4qjVQLL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • submitted
    27-09-2022 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lrPBx4qjVQLL.exe

  • Size

    1.5MB

  • MD5

    018dbebc18d0989b6c5a0916a7aeb8ee

  • SHA1

    3d9d22ef47c09230fda8d66945e00e3538f2d975

  • SHA256

    82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

  • SHA512

    a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

  • SSDEEP

    49152:8N0TnIUbWriymtRAZbUJylRyOuo+ecZTa1gBHXOlr/pQVpu7S/cY:gKnIUbWrJUJy/yOuo/cZTa1cXO/DS/b

Score
10/10
allcomeraccoon9b19cf60d9bdf65b8a2495aa965456c3evasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://94.131.107.206

rc4.plain

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw

Wallets

D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw

r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp

0xC4b495c6ef4B61d5757a1e78dE22edC315867C84

XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME

TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx

t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B

GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X

48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ

qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6

1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa

0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd

LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo

ronin:bb375c985bc63d448b3bc14cda06b2866f75e342

+79889916188

+79889916188

+79889916188

MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC

ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg

3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7

bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m

Signatures

  • Allcome

    A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

    stealerallcome
  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lrPBx4qjVQLL.exe
    "C:\Users\Admin\AppData\Local\Temp\lrPBx4qjVQLL.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:2760
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:1192
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:664
          • C:\Users\Admin\AppData\Roaming\a28nI1TL.exe
            "C:\Users\Admin\AppData\Roaming\a28nI1TL.exe"
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3932
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"
              4⤵
              • Creates scheduled task(s)
              PID:3228
            • C:\Users\Admin\TypeRes\DllResource.exe
              "C:\Users\Admin\TypeRes\DllResource.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3196
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Roaming\a28nI1TL.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2976
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:2604
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1
                  5⤵
                  • Runs ping.exe
                  PID:1256
            • C:\Users\Admin\AppData\Roaming\i88g3WPd.exe
              "C:\Users\Admin\AppData\Roaming\i88g3WPd.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3748
              • C:\Users\Admin\AppData\Roaming\i88g3WPd.exe
                "C:\Users\Admin\AppData\Roaming\i88g3WPd.exe"
                4⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:4956
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
                  5⤵
                  • Creates scheduled task(s)
                  PID:4492
            • C:\Users\Admin\AppData\Local\Temp\L4ei73Ga.exe
              "C:\Users\Admin\AppData\Local\Temp\L4ei73Ga.exe"
              3⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2732

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\mozglue.dll
          Filesize

          612KB

          MD5

          f07d9977430e762b563eaadc2b94bbfa

          SHA1

          da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

          SHA256

          4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

          SHA512

          6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\nss3.dll
          Filesize

          1.9MB

          MD5

          f67d08e8c02574cbc2f1122c53bfb976

          SHA1

          6522992957e7e4d074947cad63189f308a80fcf2

          SHA256

          c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

          SHA512

          2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\sqlite3.dll
          Filesize

          1.0MB

          MD5

          dbf4f8dcefb8056dc6bae4b67ff810ce

          SHA1

          bbac1dd8a07c6069415c04b62747d794736d0689

          SHA256

          47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

          SHA512

          b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\L4ei73Ga.exe
          Filesize

          16.6MB

          MD5

          4d12325765be0951b3d05237dd68b3f8

          SHA1

          6e3280fa3953ac2b42c9f2002b0a8188c2742f25

          SHA256

          a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

          SHA512

          d0351cc8e8875a95473cabf40e58fc1fb7ffb94ddf124fafb400e0b7dda1377a9996a7d516026b437de9e4acff869ae29252949a71dee324727c073ed651b2f1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\L4ei73Ga.exe
          Filesize

          16.6MB

          MD5

          4d12325765be0951b3d05237dd68b3f8

          SHA1

          6e3280fa3953ac2b42c9f2002b0a8188c2742f25

          SHA256

          a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

          SHA512

          d0351cc8e8875a95473cabf40e58fc1fb7ffb94ddf124fafb400e0b7dda1377a9996a7d516026b437de9e4acff869ae29252949a71dee324727c073ed651b2f1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\a28nI1TL.exe
          Filesize

          1.9MB

          MD5

          5986aff76e7813045b1b130efbb10d30

          SHA1

          62b1f733fe7ed0c0230c20dae3c4a65ecb28e180

          SHA256

          7dd44d3b3df4f14474d20ffa23e2fb20dcf22ed3a1458b345a1bd85563ac4a62

          SHA512

          bfa2cad2bbbb61af7dbd22818db048ddaf68e2e22d1c55d80450a7a0c4c31c09bf596f04ebc2a7f55ac70c294ae01d3e8987af4d0bbb60c63662d21c008b3115

          Download Submit

        • C:\Users\Admin\AppData\Roaming\a28nI1TL.exe
          Filesize

          1.9MB

          MD5

          5986aff76e7813045b1b130efbb10d30

          SHA1

          62b1f733fe7ed0c0230c20dae3c4a65ecb28e180

          SHA256

          7dd44d3b3df4f14474d20ffa23e2fb20dcf22ed3a1458b345a1bd85563ac4a62

          SHA512

          bfa2cad2bbbb61af7dbd22818db048ddaf68e2e22d1c55d80450a7a0c4c31c09bf596f04ebc2a7f55ac70c294ae01d3e8987af4d0bbb60c63662d21c008b3115

          Download Submit

        • C:\Users\Admin\AppData\Roaming\i88g3WPd.exe
          Filesize

          519KB

          MD5

          0cc25540c7ea712231dfaa165733b316

          SHA1

          2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

          SHA256

          166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

          SHA512

          34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\i88g3WPd.exe
          Filesize

          519KB

          MD5

          0cc25540c7ea712231dfaa165733b316

          SHA1

          2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

          SHA256

          166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

          SHA512

          34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\i88g3WPd.exe
          Filesize

          519KB

          MD5

          0cc25540c7ea712231dfaa165733b316

          SHA1

          2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

          SHA256

          166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

          SHA512

          34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

          Download Submit

        • C:\Users\Admin\TypeRes\DllResource.exe
          Filesize

          124.9MB

          MD5

          ee4a89c4e9e32eb104505aa82bcb77f8

          SHA1

          4c697c6fb24093c745101c4d3ae8a799dd9b1922

          SHA256

          e939a32b64860e749ed993932d48f96d71a5e3d804b75207c9379ba5c5770d2d

          SHA512

          344370217497ae854ca6ca162bfd26b551f19d2b593c7ef6ea48b2f0c9a6d8bed3e19d01f49b1c1c83996f57be2c2ec7b4170e5e9a67398f4f13764baae67bcb

          Download Submit

        • C:\Users\Admin\TypeRes\DllResource.exe
          Filesize

          124.3MB

          MD5

          4b79e0c9cf3cb28d13ad7b9ec7a97104

          SHA1

          93c76b47318e48a86d704517e889b86041395e03

          SHA256

          008a8726880be8c2878ce17c3d75dad653805f0a292d4be3c9622d585fdeb3b6

          SHA512

          02cc120e022edb83b834ccf056ed75d43de466d1f2641d3167a954b38e6cb82190e3d60030ef384a442ffe48fcb4fca77519a291df2a9390cc9b81ecc4bd0a0b

          Download Submit

        • memory/664-147-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/664-145-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/664-143-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/664-141-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1912-136-0x000000000EA80000-0x000000000EB46000-memory.dmp

          Filesize

          792KB

          Download

        • memory/1912-135-0x0000000002AFF000-0x0000000002C43000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1912-133-0x0000000002AFF000-0x0000000002C43000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1912-137-0x000000000EA80000-0x000000000EB46000-memory.dmp

          Filesize

          792KB

          Download

        • memory/1912-134-0x000000000247E000-0x0000000002AE8000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/1912-146-0x0000000002AFF000-0x0000000002C43000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1912-132-0x000000000247E000-0x0000000002AE8000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/3196-187-0x000000000239D000-0x0000000002B2D000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3196-185-0x000000000239D000-0x0000000002B2D000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3196-186-0x0000000002B34000-0x0000000002CB3000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3748-160-0x0000000005920000-0x00000000059B2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3748-162-0x0000000006CC0000-0x0000000006CCA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3748-157-0x0000000000F70000-0x0000000000FF4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/3748-158-0x00000000057E0000-0x000000000587C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3748-159-0x0000000005E30000-0x00000000063D4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3932-161-0x00000000023F7000-0x0000000002B87000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3932-168-0x00000000023F7000-0x0000000002B87000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3932-164-0x0000000002B9C000-0x0000000002D1B000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3932-182-0x0000000002B9C000-0x0000000002D1B000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3932-169-0x0000000002B9C000-0x0000000002D1B000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4956-176-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/4956-172-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/4956-174-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/4956-173-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/4956-170-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download