Overview

overview

10

Static

static

4bad8e019d...59.exe

windows7-x64

10

4bad8e019d...59.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4bad8e019dc6d8254185426c2fef0c59.exe

  • Size

    1.6MB

  • Sample

    221007-v3pwnadbfl

  • MD5

    4bad8e019dc6d8254185426c2fef0c59

  • SHA1

    7b55fcbae0b8c90100a0b8b999292e1c83ab5947

  • SHA256

    df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee

  • SHA512

    c8b82b65ed3eb15fc208147587ea5051dde079eba9006fad751195d2004398c4bd2eed0e1b1aab6cd01a3526eb04b30eb4b0798e6e68f5019c0d4faf155bbf96

  • SSDEEP

    49152:Tm5PrbWIRjUx3FEcLhbu32hEwdGvmKdAzDJ6SM:Tm5j0icVY2hNdGuKdAc

Score
10/10
raccoon9b19cf60d9bdf65b8a2495aa965456c3evasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://5.2.70.65/

rc4.plain

Targets

    • Target

      4bad8e019dc6d8254185426c2fef0c59.exe

    • Size

      1.6MB

    • MD5

      4bad8e019dc6d8254185426c2fef0c59

    • SHA1

      7b55fcbae0b8c90100a0b8b999292e1c83ab5947

    • SHA256

      df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee

    • SHA512

      c8b82b65ed3eb15fc208147587ea5051dde079eba9006fad751195d2004398c4bd2eed0e1b1aab6cd01a3526eb04b30eb4b0798e6e68f5019c0d4faf155bbf96

    • SSDEEP

      49152:Tm5PrbWIRjUx3FEcLhbu32hEwdGvmKdAzDJ6SM:Tm5j0icVY2hNdGuKdAc

    Score
    10/10
    raccoon9b19cf60d9bdf65b8a2495aa965456c3evasionspywarestealerthemidatrojan

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks