General

  • Target

    b2ea787779b3a69119917db1862fdd50.exe

  • Size

    2.1MB

  • Sample

    230201-e7874abh55

  • MD5

    b2ea787779b3a69119917db1862fdd50

  • SHA1

    13cfa137064233181d1715cb631185aef1414520

  • SHA256

    c7ebf50e12215ee97c015ce0f96f656d1274f07c36b672219f9d18bde8072362

  • SHA512

    8f06fed0dc346a4becc7904dc484390c887d3a343d0919dbad616ae42413ba23744015218c1d1bc3050117d1137d6f8e3f527dbaaf2008f15bfcd844b3da4e55

  • SSDEEP

    24576:VJYp7t2/0TXJCg8/IN1b4F7cBzwq3EXR3xympR3JA6yaRGTWA4qAfCpm6neAnb0c:VJYeicg8/INu6lvA/aT1

Malware Config

Extracted

Family

raccoon

Botnet

fa82e734b53e841c19108ad18b73cc3a

C2

http://95.179.182.231/

rc4.plain

Targets

    • Target

      b2ea787779b3a69119917db1862fdd50.exe

    • Size

      2.1MB

    • MD5

      b2ea787779b3a69119917db1862fdd50

    • SHA1

      13cfa137064233181d1715cb631185aef1414520

    • SHA256

      c7ebf50e12215ee97c015ce0f96f656d1274f07c36b672219f9d18bde8072362

    • SHA512

      8f06fed0dc346a4becc7904dc484390c887d3a343d0919dbad616ae42413ba23744015218c1d1bc3050117d1137d6f8e3f527dbaaf2008f15bfcd844b3da4e55

    • SSDEEP

      24576:VJYp7t2/0TXJCg8/IN1b4F7cBzwq3EXR3xympR3JA6yaRGTWA4qAfCpm6neAnb0c:VJYeicg8/INu6lvA/aT1

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks