allcome

General

Target

guihelper.exe
Size

1.4MB
Sample

221004-3gzgzachb7
MD5

2c6e3dcfa405ff4153cfc78f7ed4254d
SHA1

36baae5a2364847b50769296bacdc011e2c98199
SHA256

b31542edcbc2793c310d1b5940a5ab412184e2e5ae00653b60f4ccb93b922572
SHA512

78f64962571552176dc1e2e2d9a35fedf47044c9da4d982d19d86c9dbae72146b70bc92929f605a7724c6315b1c25b657193bc3d67c23d9fbb5861af742e5b2f
SSDEEP

24576:0dHtelZZ5l4yz7NaYz8kOJufChQFy30hBAlvSQ9DbEGvlI5Y1CG1pG9HSR6Q7tUx:gHgfZcyNztGGAlAGNMwCGHACOx

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

557be2ba9f180c2e908201d7a1badea7

C2

http://64.44.135.91/

rc4.plain

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw

Wallets

D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw

r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp

0xC4b495c6ef4B61d5757a1e78dE22edC315867C84

XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME

TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx

t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B

GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X

48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ

qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6

1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa

0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd

LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo

ronin:bb375c985bc63d448b3bc14cda06b2866f75e342

+79889916188

MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC

ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg

3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7

bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m

Extracted

Family

systembc

C2

89.22.225.242:4193

195.2.93.22:4193

Targets

- Target
  
  guihelper.exe
- Size
  
  1.4MB
- MD5
  
  2c6e3dcfa405ff4153cfc78f7ed4254d
- SHA1
  
  36baae5a2364847b50769296bacdc011e2c98199
- SHA256
  
  b31542edcbc2793c310d1b5940a5ab412184e2e5ae00653b60f4ccb93b922572
- SHA512
  
  78f64962571552176dc1e2e2d9a35fedf47044c9da4d982d19d86c9dbae72146b70bc92929f605a7724c6315b1c25b657193bc3d67c23d9fbb5861af742e5b2f
- SSDEEP
  
  24576:0dHtelZZ5l4yz7NaYz8kOJufChQFy30hBAlvSQ9DbEGvlI5Y1CG1pG9HSR6Q7tUx:gHgfZcyNztGGAlAGNMwCGHACOx
Score

10^/10

raccoon 557be2ba9f180c2e908201d7a1badea7 evasion spyware stealer themida trojan allcome systembc
- Allcome
  A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
  stealer allcome
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2