General
-
Target
701a17a2c1f352456322e3ee71750d6b8ba489ccfa8473b9a5015d22c655f5e2
-
Size
270KB
-
Sample
221116-rgyd5abf73
-
MD5
c3f217c7e28155a109494f7254a2226e
-
SHA1
44c3a2bf56a3a7915132348d7ccfb88f82cfa699
-
SHA256
701a17a2c1f352456322e3ee71750d6b8ba489ccfa8473b9a5015d22c655f5e2
-
SHA512
f0e525ca1ab4d86fe68f9ab9f2a6b53eff2791e20a9ea882e212748350a48c3d93530d25dfa89f17cc3f3e317fb5caa6bd67c7ceec1c5fc280e7077943ab4bd7
-
SSDEEP
3072:xXOiU9LJtfzg66CV4BhHbZv1K9EQMYz6HD9jxMzt4ZABnIiHKb+JYpLDzHWm73im:VU9LJO66fBBe16hjxMz9BpJcHni5lq
Malware Config
Extracted
raccoon
dbffbdbc9786a5c270e6dd2d647e18ea
http://79.137.205.87/
Targets
-
-
Target
701a17a2c1f352456322e3ee71750d6b8ba489ccfa8473b9a5015d22c655f5e2
-
Size
270KB
-
MD5
c3f217c7e28155a109494f7254a2226e
-
SHA1
44c3a2bf56a3a7915132348d7ccfb88f82cfa699
-
SHA256
701a17a2c1f352456322e3ee71750d6b8ba489ccfa8473b9a5015d22c655f5e2
-
SHA512
f0e525ca1ab4d86fe68f9ab9f2a6b53eff2791e20a9ea882e212748350a48c3d93530d25dfa89f17cc3f3e317fb5caa6bd67c7ceec1c5fc280e7077943ab4bd7
-
SSDEEP
3072:xXOiU9LJtfzg66CV4BhHbZv1K9EQMYz6HD9jxMzt4ZABnIiHKb+JYpLDzHWm73im:VU9LJO66fBBe16hjxMz9BpJcHni5lq
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-