General

  • Target

    bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

  • Size

    1.5MB

  • Sample

    220930-ghnwzadedn

  • MD5

    82a0a0bd6084c5a28081310e75e7f608

  • SHA1

    e5ce952e62af7efc484826c512a6f9b363b21877

  • SHA256

    bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

  • SHA512

    19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

  • SSDEEP

    24576:Fs50MV0ORVeA8iFZwkyIVH8oPMp4ySs50MIpNSlzqs50M0IW9KK5jNSDUXNSW1:Fs5VXh8lkHVHLMSs5IpIlzqs50h9KajX

Malware Config

Extracted

Family

raccoon

Version

1.7.1-hotfix

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

taenaiaa.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

    • Size

      1.5MB

    • MD5

      82a0a0bd6084c5a28081310e75e7f608

    • SHA1

      e5ce952e62af7efc484826c512a6f9b363b21877

    • SHA256

      bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

    • SHA512

      19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

    • SSDEEP

      24576:Fs50MV0ORVeA8iFZwkyIVH8oPMp4ySs50MIpNSlzqs50M0IW9KK5jNSDUXNSW1:Fs5VXh8lkHVHLMSs5IpIlzqs50h9KajX

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon Stealer payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks