General

  • Target

    03f877143660b9aeb7e7c9914a1efeaedd081e8d8d9cdfeee237c96590e98003

  • Size

    252KB

  • Sample

    221115-v3d46aah2w

  • MD5

    df33b0d67d342bda0f8bd309924d36ff

  • SHA1

    931f3eff9541728edd27fc8a3e5385b147edd2f5

  • SHA256

    03f877143660b9aeb7e7c9914a1efeaedd081e8d8d9cdfeee237c96590e98003

  • SHA512

    54b5b94e690afc3b9a8f2ab9db0a2404e3c72cbfecf4dfccfac040a36f3288b332273077c624db24dfcbb11e455675873f81176850eaa9122de6edc9910b17ef

  • SSDEEP

    3072:2KYoDXX5nm8PGD35Z20OY/PKhNPkQbHl9LADsETJctI6rLpsNJPdYlvqx48UrkHD:Q65mtDp5dnqPvbH/EgdI6rVtK480

Malware Config

Extracted

Family

raccoon

Botnet

dbffbdbc9786a5c270e6dd2d647e18ea

C2

http://79.137.205.87/

rc4.plain

Targets

    • Target

      03f877143660b9aeb7e7c9914a1efeaedd081e8d8d9cdfeee237c96590e98003

    • Size

      252KB

    • MD5

      df33b0d67d342bda0f8bd309924d36ff

    • SHA1

      931f3eff9541728edd27fc8a3e5385b147edd2f5

    • SHA256

      03f877143660b9aeb7e7c9914a1efeaedd081e8d8d9cdfeee237c96590e98003

    • SHA512

      54b5b94e690afc3b9a8f2ab9db0a2404e3c72cbfecf4dfccfac040a36f3288b332273077c624db24dfcbb11e455675873f81176850eaa9122de6edc9910b17ef

    • SSDEEP

      3072:2KYoDXX5nm8PGD35Z20OY/PKhNPkQbHl9LADsETJctI6rLpsNJPdYlvqx48UrkHD:Q65mtDp5dnqPvbH/EgdI6rVtK480

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks