Overview

overview

10

Static

static

anon1.c.exe

windows7-x64

10

anon1.c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    anon1.c.exe

  • Size

    6.3MB

  • Sample

    221108-pg9q2sheaq

  • MD5

    ec54635cd5ecaf1b3bfeaac4ad54f360

  • SHA1

    78ce05e39cd35bb9f932dadf0d2dc7bb2783cb15

  • SHA256

    04d31c61d53359359e896db066a150f94321c1fd788a9ef7cb6a3e08ab963761

  • SHA512

    44043cdae43b0fe3e9c8a247e568925c5c8047fa425d61bfb428cb6376f9ba1d8bfa50b362657ca73a48c015f7fb1ea6b496a00d68473f6ee92eebbc17e5e236

  • SSDEEP

    98304:F0fI8YvciV+yBm0XA7HCOaYh5JTrQOdauaHaSZSxT+yq1Dc0:F0oxLA7HJaW5tbauFgSx4

Score
10/10
raccoonredlinesystembc94c54520400750937a6f1bf6044f8667test1discoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

94c54520400750937a6f1bf6044f8667

C2

http://194.37.80.221/

rc4.plain

Extracted

Family

systembc

C2

45.15.156.48:4254

146.70.53.169:4254

Extracted

Family

redline

Botnet

Test1

C2

45.15.156.48:8285

Attributes
  • auth_value

    3ec6815aabd0bab316e997c1c7898294

Targets

    • Target

      anon1.c.exe

    • Size

      6.3MB

    • MD5

      ec54635cd5ecaf1b3bfeaac4ad54f360

    • SHA1

      78ce05e39cd35bb9f932dadf0d2dc7bb2783cb15

    • SHA256

      04d31c61d53359359e896db066a150f94321c1fd788a9ef7cb6a3e08ab963761

    • SHA512

      44043cdae43b0fe3e9c8a247e568925c5c8047fa425d61bfb428cb6376f9ba1d8bfa50b362657ca73a48c015f7fb1ea6b496a00d68473f6ee92eebbc17e5e236

    • SSDEEP

      98304:F0fI8YvciV+yBm0XA7HCOaYh5JTrQOdauaHaSZSxT+yq1Dc0:F0oxLA7HJaW5tbauFgSx4

    Score
    10/10
    raccoonredlinesystembc94c54520400750937a6f1bf6044f8667test1discoveryinfostealerspywarestealertrojan

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks