General

  • Target

    NewstVersion_1234_InstallerPass.rar

  • Size

    4MB

  • Sample

    221220-qyhvbshf57

  • MD5

    cda1504b1d4004c8bf3b90b9035ebeb8

  • SHA1

    46832d82bc25c7363f32b3473872936e97cfe990

  • SHA256

    4d18cd22365f3f3d714fca4a674014fc7a68d6029da4c53a94fe950189f9c956

  • SHA512

    3932b135f10e2cf84811fb462b4dc9e804883fb6aed2262848dcf543515a00e5b14728d8c700286402b5232083b394c1180e4c55ddd383ba1de03731eb00dd5c

  • SSDEEP

    98304:8/W8ZSAQXOhvyrvtrfyz7bpVs6pOohZsKRPm5:8u8kA0OhqRrKz3Ee5RO5

Malware Config

Extracted

Family

raccoon

Botnet

b4f472421ce1f18efd9f610339c3dae1

C2

http://77.73.134.30/

rc4.plain

Targets

    • Target

      Setup.exe

    • Size

      427MB

    • MD5

      9d2b9885fdb0885ac11bd944c86c4655

    • SHA1

      eeeebef1fd514f1b697158c990ba94b9c752374c

    • SHA256

      ef70efe0a3cd860831657fa7ee8d832d49c8d8489df4b35d2480cc043bbb1b04

    • SHA512

      6ca0fe74cec6b22e9d9da927614cfed8440d153f8852fc938b7f156b95c29ddca7b652557635ebb6aa7197ad37c0a09d475deedddc44316ddac929cdac7b4813

    • SSDEEP

      98304:b8vH233wZUFkCNauJm+UPp7WMZwa/jOTN:bowwP+UxaMZxbOT

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Tasks