Overview

overview

10

Static

static

FOCVIVH.exe

windows7-x64

7

FOCVIVH.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FOCVIVH.bin

  • Size

    3.5MB

  • Sample

    220929-t9pnssbdg8

  • MD5

    85c27c29bcd669111e83ece79e7e0a62

  • SHA1

    24cb399e0de0896709242e3e2cc2b0435d5c206e

  • SHA256

    c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9

  • SHA512

    9d01e2e090c553f3de1a85300f7faa36cee4a4e135ec47854529aaa1fe2fd2e0313b8202dbf875b6cc21e0a1ec46d1c1d379563ad7560470dd0a246c8bae7e99

  • SSDEEP

    24576:DqkwrOTxquuoM1iHVHv/Rkelbl1RWuetgVR04suAKluiCionxi3tWEvvbwDiqBQd:4uuoBVH7XRWFIDpkdj

Score
10/10
raccoon9b19cf60d9bdf65b8a2495aa965456c3spywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://5.2.70.65/

rc4.plain

Targets

    • Target

      FOCVIVH.bin

    • Size

      3.5MB

    • MD5

      85c27c29bcd669111e83ece79e7e0a62

    • SHA1

      24cb399e0de0896709242e3e2cc2b0435d5c206e

    • SHA256

      c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9

    • SHA512

      9d01e2e090c553f3de1a85300f7faa36cee4a4e135ec47854529aaa1fe2fd2e0313b8202dbf875b6cc21e0a1ec46d1c1d379563ad7560470dd0a246c8bae7e99

    • SSDEEP

      24576:DqkwrOTxquuoM1iHVHv/Rkelbl1RWuetgVR04suAKluiCionxi3tWEvvbwDiqBQd:4uuoBVH7XRWFIDpkdj

    Score
    10/10
    raccoon9b19cf60d9bdf65b8a2495aa965456c3spywarestealer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks