General

  • Target

    701a17a2c1f352456322e3ee71750d6b8ba489ccfa8473b9a5015d22c655f5e2

  • Size

    270KB

  • Sample

    221116-rgyd5abf73

  • MD5

    c3f217c7e28155a109494f7254a2226e

  • SHA1

    44c3a2bf56a3a7915132348d7ccfb88f82cfa699

  • SHA256

    701a17a2c1f352456322e3ee71750d6b8ba489ccfa8473b9a5015d22c655f5e2

  • SHA512

    f0e525ca1ab4d86fe68f9ab9f2a6b53eff2791e20a9ea882e212748350a48c3d93530d25dfa89f17cc3f3e317fb5caa6bd67c7ceec1c5fc280e7077943ab4bd7

  • SSDEEP

    3072:xXOiU9LJtfzg66CV4BhHbZv1K9EQMYz6HD9jxMzt4ZABnIiHKb+JYpLDzHWm73im:VU9LJO66fBBe16hjxMz9BpJcHni5lq

Malware Config

Extracted

Family

raccoon

Botnet

dbffbdbc9786a5c270e6dd2d647e18ea

C2

http://79.137.205.87/

rc4.plain

Targets

    • Target

      701a17a2c1f352456322e3ee71750d6b8ba489ccfa8473b9a5015d22c655f5e2

    • Size

      270KB

    • MD5

      c3f217c7e28155a109494f7254a2226e

    • SHA1

      44c3a2bf56a3a7915132348d7ccfb88f82cfa699

    • SHA256

      701a17a2c1f352456322e3ee71750d6b8ba489ccfa8473b9a5015d22c655f5e2

    • SHA512

      f0e525ca1ab4d86fe68f9ab9f2a6b53eff2791e20a9ea882e212748350a48c3d93530d25dfa89f17cc3f3e317fb5caa6bd67c7ceec1c5fc280e7077943ab4bd7

    • SSDEEP

      3072:xXOiU9LJtfzg66CV4BhHbZv1K9EQMYz6HD9jxMzt4ZABnIiHKb+JYpLDzHWm73im:VU9LJO66fBBe16hjxMz9BpJcHni5lq

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks