Overview

overview

10

Static

static

3

NOTIFICACI...AL.exe

windows7-x64

8

NOTIFICACI...AL.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NOTIFICACION DEMANDA PERSONAL.exe

  • Size

    489KB

  • Sample

    230530-xzvnvabc88

  • MD5

    35e7110e47ba3d42bf5b71937e02ce8b

  • SHA1

    7194f08ad122d5e2e1d7b432522d6e9fc2565d7b

  • SHA256

    792f7b6362d213e5976d71aea0f36488aae184b30e021210e847d1450546c39d

  • SHA512

    70020e4680f74fd17705b14b0cc11541c773844952ee211eda82291b49b07c94acae9a7aa406c0f6e41fbad4a54d7ff10432b0acb0b2bbf5bc66201b8c6aec43

  • SSDEEP

    12288:qimcuTGiqcyQoiAsxhfi+/wHKK8zsK/nn6F2oG:qimcUGiqcyuAoh6jHKRzsKvQ23

Score
10/10
lummaraccoonevasionpersistencestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1yzIedgOlbPjUc006zFjrkRkJWDbchF0u

Extracted

Family

raccoon

rc4.plain

Targets

    • Target

      NOTIFICACION DEMANDA PERSONAL.exe

    • Size

      489KB

    • MD5

      35e7110e47ba3d42bf5b71937e02ce8b

    • SHA1

      7194f08ad122d5e2e1d7b432522d6e9fc2565d7b

    • SHA256

      792f7b6362d213e5976d71aea0f36488aae184b30e021210e847d1450546c39d

    • SHA512

      70020e4680f74fd17705b14b0cc11541c773844952ee211eda82291b49b07c94acae9a7aa406c0f6e41fbad4a54d7ff10432b0acb0b2bbf5bc66201b8c6aec43

    • SSDEEP

      12288:qimcuTGiqcyQoiAsxhfi+/wHKK8zsK/nn6F2oG:qimcUGiqcyuAoh6jHKRzsKvQ23

    Score
    10/10
    lummaraccoonevasionpersistencestealertrojanupx

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Blocklisted process makes network request

    • Modifies Installed Components in the registry

      persistence

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks