Overview

overview

10

Static

static

1

crack file.exe

windows7-x64

10

crack file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    crack file.exe

  • Size

    1.7MB

  • Sample

    230322-srwtqahe84

  • MD5

    3be7815f097914ca1bce77bbfab48ba4

  • SHA1

    9822603ebcc7bc1b0b109131e292db562cc0c55b

  • SHA256

    a8ce713a2d85e1c00b2a3075334ee1a6879cb34abdf70431e2184d5bcc83940e

  • SHA512

    4f0d1caf21366fa19c9862dc1892f2dba36c547f7b8d8086f5552834772a25b515597befd259f9e5b61b09118e73b4c81ed3accfef09f56b6233513e1c98bfd4

  • SSDEEP

    49152:NJ4HLNsPv/IIv0ZDgYdIvDD/CT40j0KzPLxN9tn:NJ4Hxs78Pi/r20KbLnn

Score
10/10
gcleanerpseudomanuscryptraccooncf8e11f4b26a8b6523ebca1d025854f5loaderspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://neutropharma.com/wp/wp-content/debug2.ps1

Extracted

Family

raccoon

Botnet

cf8e11f4b26a8b6523ebca1d025854f5

C2

http://109.234.39.45/

rc4.plain

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Targets

    • Target

      crack file.exe

    • Size

      1.7MB

    • MD5

      3be7815f097914ca1bce77bbfab48ba4

    • SHA1

      9822603ebcc7bc1b0b109131e292db562cc0c55b

    • SHA256

      a8ce713a2d85e1c00b2a3075334ee1a6879cb34abdf70431e2184d5bcc83940e

    • SHA512

      4f0d1caf21366fa19c9862dc1892f2dba36c547f7b8d8086f5552834772a25b515597befd259f9e5b61b09118e73b4c81ed3accfef09f56b6233513e1c98bfd4

    • SSDEEP

      49152:NJ4HLNsPv/IIv0ZDgYdIvDD/CT40j0KzPLxN9tn:NJ4Hxs78Pi/r20KbLnn

    Score
    10/10
    gcleanerpseudomanuscryptraccooncf8e11f4b26a8b6523ebca1d025854f5loaderstealerspyware

    • Detects PseudoManuscrypt payload

      loader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

      loaderpseudomanuscrypt

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks