General

  • Target

    d95b0b49d1297b2575f3df70d569f294

  • Size

    968KB

  • Sample

    231222-sseltsbee4

  • MD5

    d95b0b49d1297b2575f3df70d569f294

  • SHA1

    8cce459259d4aa52e7ec0c740ba5a9e0583fc250

  • SHA256

    ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30

  • SHA512

    b7d753fcfc488415f706d5e525527716cd9c271e1d9a28204d75e914cd62e565c9389591d130fc1a8527a50112a5a88bbe2ed8554ebeabdfc3616ff91797a8dd

  • SSDEEP

    24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgp:waWNC7hLVVL1sX3WxKZKgW2hrKd7j6

Malware Config

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

mazooyaar.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      d95b0b49d1297b2575f3df70d569f294

    • Size

      968KB

    • MD5

      d95b0b49d1297b2575f3df70d569f294

    • SHA1

      8cce459259d4aa52e7ec0c740ba5a9e0583fc250

    • SHA256

      ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30

    • SHA512

      b7d753fcfc488415f706d5e525527716cd9c271e1d9a28204d75e914cd62e565c9389591d130fc1a8527a50112a5a88bbe2ed8554ebeabdfc3616ff91797a8dd

    • SSDEEP

      24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgp:waWNC7hLVVL1sX3WxKZKgW2hrKd7j6

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon Stealer V1 payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks