Overview

overview

10

Static

static

guihelper.exe

windows7-x64

10

guihelper.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    296s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2022 23:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    guihelper.exe

  • Size

    1.4MB

  • MD5

    2c6e3dcfa405ff4153cfc78f7ed4254d

  • SHA1

    36baae5a2364847b50769296bacdc011e2c98199

  • SHA256

    b31542edcbc2793c310d1b5940a5ab412184e2e5ae00653b60f4ccb93b922572

  • SHA512

    78f64962571552176dc1e2e2d9a35fedf47044c9da4d982d19d86c9dbae72146b70bc92929f605a7724c6315b1c25b657193bc3d67c23d9fbb5861af742e5b2f

  • SSDEEP

    24576:0dHtelZZ5l4yz7NaYz8kOJufChQFy30hBAlvSQ9DbEGvlI5Y1CG1pG9HSR6Q7tUx:gHgfZcyNztGGAlAGNMwCGHACOx

Score
10/10
raccoon557be2ba9f180c2e908201d7a1badea7evasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

raccoon

Botnet

557be2ba9f180c2e908201d7a1badea7

C2

http://64.44.135.91/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 6 IoCs
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\guihelper.exe
    "C:\Users\Admin\AppData\Local\Temp\guihelper.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Users\Admin\AppData\LocalLow\SmyOOOyP.exe
        "C:\Users\Admin\AppData\LocalLow\SmyOOOyP.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        PID:972
      • C:\Users\Admin\AppData\LocalLow\0O5eT480.exe
        "C:\Users\Admin\AppData\LocalLow\0O5eT480.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1700
      • C:\Users\Admin\AppData\Local\Temp\23406Wm3.exe
        "C:\Users\Admin\AppData\Local\Temp\23406Wm3.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        PID:596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\0O5eT480.exe
    Filesize

    7.1MB

    MD5

    aa9aeef0c7f798b7a2304a36f019a4d5

    SHA1

    53e215bae2435c8d513dc05e4b759b432b732b37

    SHA256

    37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402

    SHA512

    01cb47ed8569519ee56b30c81baceef5ffb6c5278caff6cf0eb8024dd7dd06a609274a827fdd79d028462f22793ef6f3d79f0b3eed1aa4053a190edbb7e4e014

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\SmyOOOyP.exe
    Filesize

    8.2MB

    MD5

    23150d8faa66ce23299e2c032b8fd62f

    SHA1

    26c7c604d01f784931a3a95f1efeb56bfe1aec69

    SHA256

    bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b

    SHA512

    17ae25cce526a5eb11202cc779f5d62fc45b14a4d547e2eb88694dc21c83fdb853731adfd7cb47fb3499f140ddedf61175415504a0c93cb2ed3b3f25e989f5e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\23406Wm3.exe
    Filesize

    19.2MB

    MD5

    e3adc4d6881c16affd4fc0239a79c9b7

    SHA1

    f62631fa4539c98e89cf417050146ae6f02c22b2

    SHA256

    d9138877762b03c339c0bea690551fbb946681e4c5b3e98dab367f15a2d8411b

    SHA512

    6fcabc2b7a1ad72d62c972f8f3f72d0a5ede4ae12b30cefad956a40d45e48654d061cade431030409db0ed5cdece6b8d42e665697ca64aafff0c069c05d0770a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\23406Wm3.exe
    Filesize

    19.2MB

    MD5

    e3adc4d6881c16affd4fc0239a79c9b7

    SHA1

    f62631fa4539c98e89cf417050146ae6f02c22b2

    SHA256

    d9138877762b03c339c0bea690551fbb946681e4c5b3e98dab367f15a2d8411b

    SHA512

    6fcabc2b7a1ad72d62c972f8f3f72d0a5ede4ae12b30cefad956a40d45e48654d061cade431030409db0ed5cdece6b8d42e665697ca64aafff0c069c05d0770a

    Download Submit

  • \Users\Admin\AppData\LocalLow\0O5eT480.exe
    Filesize

    7.1MB

    MD5

    aa9aeef0c7f798b7a2304a36f019a4d5

    SHA1

    53e215bae2435c8d513dc05e4b759b432b732b37

    SHA256

    37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402

    SHA512

    01cb47ed8569519ee56b30c81baceef5ffb6c5278caff6cf0eb8024dd7dd06a609274a827fdd79d028462f22793ef6f3d79f0b3eed1aa4053a190edbb7e4e014

    Download Submit

  • \Users\Admin\AppData\LocalLow\SmyOOOyP.exe
    Filesize

    8.2MB

    MD5

    23150d8faa66ce23299e2c032b8fd62f

    SHA1

    26c7c604d01f784931a3a95f1efeb56bfe1aec69

    SHA256

    bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b

    SHA512

    17ae25cce526a5eb11202cc779f5d62fc45b14a4d547e2eb88694dc21c83fdb853731adfd7cb47fb3499f140ddedf61175415504a0c93cb2ed3b3f25e989f5e7

    Download Submit

  • \Users\Admin\AppData\LocalLow\mozglue.dll
    Filesize

    612KB

    MD5

    f07d9977430e762b563eaadc2b94bbfa

    SHA1

    da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

    SHA256

    4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

    SHA512

    6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

    Download Submit

  • \Users\Admin\AppData\LocalLow\nss3.dll
    Filesize

    1.9MB

    MD5

    f67d08e8c02574cbc2f1122c53bfb976

    SHA1

    6522992957e7e4d074947cad63189f308a80fcf2

    SHA256

    c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

    SHA512

    2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

    Download Submit

  • \Users\Admin\AppData\LocalLow\sqlite3.dll
    Filesize

    1.0MB

    MD5

    dbf4f8dcefb8056dc6bae4b67ff810ce

    SHA1

    bbac1dd8a07c6069415c04b62747d794736d0689

    SHA256

    47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

    SHA512

    b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\23406Wm3.exe
    Filesize

    19.2MB

    MD5

    e3adc4d6881c16affd4fc0239a79c9b7

    SHA1

    f62631fa4539c98e89cf417050146ae6f02c22b2

    SHA256

    d9138877762b03c339c0bea690551fbb946681e4c5b3e98dab367f15a2d8411b

    SHA512

    6fcabc2b7a1ad72d62c972f8f3f72d0a5ede4ae12b30cefad956a40d45e48654d061cade431030409db0ed5cdece6b8d42e665697ca64aafff0c069c05d0770a

    Download Submit

  • memory/376-64-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/376-78-0x0000000003A80000-0x00000000042C1000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/376-69-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/376-92-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/376-62-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/376-85-0x0000000003A80000-0x00000000041A0000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/376-67-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/972-79-0x00000000003E0000-0x0000000000C21000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/972-77-0x00000000003E0000-0x0000000000C21000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1700-87-0x0000000000940000-0x0000000001060000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1700-88-0x0000000000940000-0x0000000001060000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1700-95-0x0000000002700000-0x0000000002718000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1700-94-0x0000000004A40000-0x0000000004A72000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1700-86-0x0000000000940000-0x0000000001060000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1996-61-0x000000000F920000-0x000000000FA23000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1996-60-0x0000000001050000-0x000000000119C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1996-54-0x00000000009B0000-0x0000000001043000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1996-57-0x0000000075281000-0x0000000075283000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1996-56-0x0000000001050000-0x000000000119C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1996-66-0x0000000001050000-0x000000000119C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1996-55-0x00000000009B0000-0x0000000001043000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1996-59-0x00000000009B0000-0x0000000001043000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1996-58-0x0000000001050000-0x000000000119C000-memory.dmp

    Filesize

    1.3MB

    Download