Overview

overview

10

Static

static

10

af175128a8...bd.exe

windows7-x64

10

af175128a8...bd.exe

windows10-2004-x64

10

$TEMP/lib_...ef.dll

windows7-x64

10

$TEMP/lib_...ef.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af175128a823db1274fc244d8f5a46bd.exe

  • Size

    16.6MB

  • MD5

    af175128a823db1274fc244d8f5a46bd

  • SHA1

    9d67400fb5818a6c573c36eac8650458d7f1d07e

  • SHA256

    fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3

  • SHA512

    2fbd782242a4e57c2563cf4eb46d0bfca337839f126b93eca96a8c9a06377034336770c368da0c703ed2d7907f49d75b722dc688c461de1000e46c32368fe19f

  • SSDEEP

    393216:7Q4l1FoGr1o4X3LKq/LnF+aOeuKAxt9zpaz3y6Jqx5mDsLOVEi:7Q4l1Fo455LnVupJpa2ADsKVT

Score
10/10
blisterraccoon6f477b98912ea3958a37585999397f4fbda5dc46loaderstealervmprotect

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

6f477b98912ea3958a37585999397f4fbda5dc46

Attributes
  • url4cnc

    https://telete.in/chelmedvedosvin1

rc4.plain
rc4.plain

Signatures

  • BLISTER

    BLISTER is a downloader used to deliver other malware families.

    loaderblister
  • Detect Blister loader x32 4 IoCs
    loader
  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 2 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af175128a823db1274fc244d8f5a46bd.exe
    "C:\Users\Admin\AppData\Local\Temp\af175128a823db1274fc244d8f5a46bd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\af175128a823db1274fc244d8f5a46bd.exe
      "C:\Users\Admin\AppData\Local\Temp\af175128a823db1274fc244d8f5a46bd.exe"
      2⤵
        PID:4308
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
      1⤵
        PID:680

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Diagnostic asda\Diagnostic asda.exe
        Filesize

        16.6MB

        MD5

        af175128a823db1274fc244d8f5a46bd

        SHA1

        9d67400fb5818a6c573c36eac8650458d7f1d07e

        SHA256

        fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3

        SHA512

        2fbd782242a4e57c2563cf4eb46d0bfca337839f126b93eca96a8c9a06377034336770c368da0c703ed2d7907f49d75b722dc688c461de1000e46c32368fe19f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\lib_npp\libcef.dll
        Filesize

        4.5MB

        MD5

        30a5948b530c1ab99d9447cf49a85ba7

        SHA1

        8fc474764bba52071f341414bba80d2631f7119a

        SHA256

        b6257e73c78bfa1bed6df1f71e3a0ebe078e2f720d2de8c8c27a9aea7b69fbcb

        SHA512

        934ef284b208e71728b0a7183ee1d86d548062d3fd48469eee1627b253d0567078185c46a4cb52a3c8df649b722858909dc86f22460e1badd521d12f65c1f0d4

        Download Submit
      • memory/1584-6-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1584-7-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1584-9-0x0000000002AF0000-0x0000000002AF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1584-8-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1584-5-0x0000000002A90000-0x0000000002A91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1584-11-0x00000000727A0000-0x00000000745AF000-memory.dmp
        Filesize

        30.1MB

        Download
      • memory/1584-10-0x0000000002B00000-0x0000000002B01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1584-18-0x00000000727A0000-0x00000000745AF000-memory.dmp
        Filesize

        30.1MB

        Download
      • memory/1584-4-0x0000000002A80000-0x0000000002A81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1584-30-0x00000000727A0000-0x00000000745AF000-memory.dmp
        Filesize

        30.1MB

        Download
      • memory/4308-23-0x0000000000440000-0x00000000004D5000-memory.dmp
        Filesize

        596KB

        Download
      • memory/4308-29-0x0000000000440000-0x00000000004D5000-memory.dmp
        Filesize

        596KB

        Download