blister | fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3

General

Target

af175128a823db1274fc244d8f5a46bd.exe
Size

16.6MB
MD5

af175128a823db1274fc244d8f5a46bd
SHA1

9d67400fb5818a6c573c36eac8650458d7f1d07e
SHA256

fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3
SHA512

2fbd782242a4e57c2563cf4eb46d0bfca337839f126b93eca96a8c9a06377034336770c368da0c703ed2d7907f49d75b722dc688c461de1000e46c32368fe19f
SSDEEP

393216:7Q4l1FoGr1o4X3LKq/LnF+aOeuKAxt9zpaz3y6Jqx5mDsLOVEi:7Q4l1Fo455LnVupJpa2ADsKVT

Score

10^/10

blister raccoon 6f477b98912ea3958a37585999397f4fbda5dc46 loader stealer vmprotect

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

6f477b98912ea3958a37585999397f4fbda5dc46

Attributes

url4cnc
https://telete.in/chelmedvedosvin1

rc4.plain

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 5 IoCs

loader

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\lib_npp\libcef.dll	family_blister_x32
behavioral1/memory/1948-5-0x0000000072360000-0x000000007416F000-memory.dmp	family_blister_x32
behavioral1/memory/1948-7-0x0000000072360000-0x000000007416F000-memory.dmp	family_blister_x32
behavioral1/memory/1948-47-0x0000000072360000-0x000000007416F000-memory.dmp	family_blister_x32
behavioral1/memory/1948-59-0x0000000072360000-0x000000007416F000-memory.dmp	family_blister_x32

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2380-52-0x00000000001C0000-0x0000000000255000-memory.dmp	family_raccoon_v1
behavioral1/memory/2380-58-0x00000000001C0000-0x0000000000255000-memory.dmp	family_raccoon_v1

Loads dropped DLL 1 IoCs

Processes:

af175128a823db1274fc244d8f5a46bd.exe

pid process

1948 af175128a823db1274fc244d8f5a46bd.exe

pid	process
1948	af175128a823db1274fc244d8f5a46bd.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\lib_npp\libcef.dll	vmprotect
behavioral1/memory/1948-5-0x0000000072360000-0x000000007416F000-memory.dmp	vmprotect
behavioral1/memory/1948-7-0x0000000072360000-0x000000007416F000-memory.dmp	vmprotect
behavioral1/memory/1948-47-0x0000000072360000-0x000000007416F000-memory.dmp	vmprotect
behavioral1/memory/1948-59-0x0000000072360000-0x000000007416F000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

af175128a823db1274fc244d8f5a46bd.exe

pid process

1948 af175128a823db1274fc244d8f5a46bd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

af175128a823db1274fc244d8f5a46bd.exe

description pid process target process

PID 1948 set thread context of 2380 1948 af175128a823db1274fc244d8f5a46bd.exe af175128a823db1274fc244d8f5a46bd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1948	af175128a823db1274fc244d8f5a46bd.exe

description	pid	process	target process
PID 1948 set thread context of 2380	1948	af175128a823db1274fc244d8f5a46bd.exe	af175128a823db1274fc244d8f5a46bd.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\Diagnostic asda\Diagnostic asda.exe	nsis_installer_1
C:\ProgramData\Diagnostic asda\Diagnostic asda.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af175128a823db1274fc244d8f5a46bd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	af175128a823db1274fc244d8f5a46bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	af175128a823db1274fc244d8f5a46bd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

af175128a823db1274fc244d8f5a46bd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	af175128a823db1274fc244d8f5a46bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	af175128a823db1274fc244d8f5a46bd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

af175128a823db1274fc244d8f5a46bd.exe

pid process

1948 af175128a823db1274fc244d8f5a46bd.exe
1948 af175128a823db1274fc244d8f5a46bd.exe

pid	process
1948	af175128a823db1274fc244d8f5a46bd.exe
1948	af175128a823db1274fc244d8f5a46bd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

af175128a823db1274fc244d8f5a46bd.exe

description	pid	process	target process
PID 1948 wrote to memory of 2380	1948	af175128a823db1274fc244d8f5a46bd.exe	af175128a823db1274fc244d8f5a46bd.exe
PID 1948 wrote to memory of 2380	1948	af175128a823db1274fc244d8f5a46bd.exe	af175128a823db1274fc244d8f5a46bd.exe
PID 1948 wrote to memory of 2380	1948	af175128a823db1274fc244d8f5a46bd.exe	af175128a823db1274fc244d8f5a46bd.exe
PID 1948 wrote to memory of 2380	1948	af175128a823db1274fc244d8f5a46bd.exe	af175128a823db1274fc244d8f5a46bd.exe
PID 1948 wrote to memory of 2380	1948	af175128a823db1274fc244d8f5a46bd.exe	af175128a823db1274fc244d8f5a46bd.exe
PID 1948 wrote to memory of 2380	1948	af175128a823db1274fc244d8f5a46bd.exe	af175128a823db1274fc244d8f5a46bd.exe

C:\Users\Admin\AppData\Local\Temp\af175128a823db1274fc244d8f5a46bd.exe
"C:\Users\Admin\AppData\Local\Temp\af175128a823db1274fc244d8f5a46bd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\af175128a823db1274fc244d8f5a46bd.exe
  "C:\Users\Admin\AppData\Local\Temp\af175128a823db1274fc244d8f5a46bd.exe"
  2⤵
  - Modifies system certificate store
  PID:2380

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Diagnostic asda\Diagnostic asda.exe

Filesize
16.6MB

MD5
af175128a823db1274fc244d8f5a46bd

SHA1
9d67400fb5818a6c573c36eac8650458d7f1d07e

SHA256
fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3

SHA512
2fbd782242a4e57c2563cf4eb46d0bfca337839f126b93eca96a8c9a06377034336770c368da0c703ed2d7907f49d75b722dc688c461de1000e46c32368fe19f

Download Submit
\Users\Admin\AppData\Local\Temp\lib_npp\libcef.dll

Filesize
16.8MB

MD5
8be88745fd2e82873c32d320d22e1cda

SHA1
d93d37773db45412e7ec98894e43cae1bb5bf8e6

SHA256
73d3671b49aa361e7276a9ee2c2e6696539978e27bc8917ac87dc6f8fcc18776

SHA512
3ab2b225198fa5ff5faff2a8c102c08e0286058a3f5d1381dac3648d5b758b12d0efdd8cd0e1be45c913161f45e50f5476ac96b37dfe4eff696726b44d5336e9

Download Submit
memory/1948-30-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1948-38-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1948-7-0x0000000072360000-0x000000007416F000-memory.dmp

Filesize
30.1MB

Download
memory/1948-10-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/1948-11-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1948-13-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1948-15-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1948-18-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1948-20-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1948-23-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1948-4-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/1948-28-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1948-25-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1948-33-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1948-35-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1948-36-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1948-8-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/1948-40-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1948-47-0x0000000072360000-0x000000007416F000-memory.dmp

Filesize
30.1MB

Download
memory/1948-5-0x0000000072360000-0x000000007416F000-memory.dmp

Filesize
30.1MB

Download
memory/1948-59-0x0000000072360000-0x000000007416F000-memory.dmp

Filesize
30.1MB

Download
memory/2380-52-0x00000000001C0000-0x0000000000255000-memory.dmp

Filesize
596KB

Download
memory/2380-58-0x00000000001C0000-0x0000000000255000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads