General
-
Target
nagogy.bat
-
Size
3KB
-
Sample
230421-ydxrrahe78
-
MD5
04eb9cf07deddd7396e14e82a274779b
-
SHA1
b5065308793b9f53b47060fc14b55263899e4dbb
-
SHA256
44b4fd6220da480f67d6f417387f255e0e6d78e4a6b0eedf062164953c70f039
-
SHA512
4da5840e4995fdb099c09c3e94c90303a1f3f5f812dbf5409ea82b79aa3e3e469f167994f804a390fe93e2c2ff464fd317685bedf85e53740fc19ddc7d4e5e10
Malware Config
Extracted
raccoon
13718a923845c0cdab8ce45c585b8d63
http://45.15.156.198/
Extracted
raccoon
ee2a3d190100b91c20d8bc284238dda6
http://45.15.156.201/
Targets
-
-
Target
nagogy.bat
-
Size
3KB
-
MD5
04eb9cf07deddd7396e14e82a274779b
-
SHA1
b5065308793b9f53b47060fc14b55263899e4dbb
-
SHA256
44b4fd6220da480f67d6f417387f255e0e6d78e4a6b0eedf062164953c70f039
-
SHA512
4da5840e4995fdb099c09c3e94c90303a1f3f5f812dbf5409ea82b79aa3e3e469f167994f804a390fe93e2c2ff464fd317685bedf85e53740fc19ddc7d4e5e10
Score10/10-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-