Overview

overview

10

Static

static

7

5ef1589d1a...9a.exe

windows7-x64

10

5ef1589d1a...9a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dd65171f49f16928478b571996b99a33.bin

  • Size

    3.4MB

  • Sample

    230224-cgawhahh69

  • MD5

    d3f5b833dc559d401e2ed1987c0ca29c

  • SHA1

    46f3a08ded77550b968f586f567d1597dc21388f

  • SHA256

    28b9977b341a7a9f4984a63e364035b6e40fd8efbf7b8f471cb8720b0dba20dc

  • SHA512

    efeb17f8e93eefeb8da8bf4fa0806ea97146a060f99e53d57ca66db31d4effb47cae8bb0e805401a9ad8c5aa844895aea9042eb15bbf2db8e43f3d29fd335ca5

  • SSDEEP

    98304:9PizunWSiJm2TMaok/3lffmT7mxTSBIfVU/XIERT:Z06WI2Qaoc3smxOEVGXIEl

Score
10/10
raccoonvidar960d8047e2829c4b87de991d706e2490discoveryspywarestealervmprotect

Malware Config

Extracted

Family

raccoon

Botnet

960d8047e2829c4b87de991d706e2490

C2

http://94.142.138.37/

rc4.plain

Targets

    • Target

      5ef1589d1a0c75747a2f7c193956fb7588f456a60fef3f903b12d84989e4e89a.exe

    • Size

      3.6MB

    • MD5

      dd65171f49f16928478b571996b99a33

    • SHA1

      79fe9466c919cc8a0dbf88cd56a275b7276c45d1

    • SHA256

      5ef1589d1a0c75747a2f7c193956fb7588f456a60fef3f903b12d84989e4e89a

    • SHA512

      49f54e2b8110d15dce742032c2e0fc63b308b2f465159c117254ed152468fe78e9fff6f4c805936900fb527942171ebc210b95b49f9d7b4c39e5d44127c97285

    • SSDEEP

      49152:+SNKBJ20GZsIuAoAEm/It5HhYyXeBwlBKw3kPXvyNiqBFpI5+wXmAE7/FRLyBhcD:hN620Rv1rrYyXeiKYk6Lus7zysp

    Score
    10/10
    raccoonvidar960d8047e2829c4b87de991d706e2490discoveryspywarestealervmprotect

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks