Overview

overview

10

Static

static

1

de35dae3ef...e3.exe

windows7-x64

10

de35dae3ef...e3.exe

windows10-2004-x64

10

$INTERNET_...ng.ps1

windows7-x64

3

$INTERNET_...ng.ps1

windows10-2004-x64

1

Resubmissions

29-04-2024 19:30

240429-x7vc2sah46 10

29-04-2024 19:28

240429-x65gmaah25 1

29-04-2024 19:25

240429-x49zbsag74 10

29-04-2024 04:45

240429-fdebasaf52 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3

  • Size

    718KB

  • Sample

    240429-x49zbsag74

  • MD5

    1bf24ce8b5e34930932432d626fac06d

  • SHA1

    32276318f55c1118980f98377968de0f78c9227e

  • SHA256

    de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3

  • SHA512

    d3885e43fe5189eb37cdf4518f05c9096685974db4eefd96260e2db8b17cda13b67861cef2247aeb12baed7ca59c892c82f855c5179e54213f861d2c352ce4fa

  • SSDEEP

    12288:tfLmWONlyXjI/kkJzHSomfaeITAl5aqzTuCTTcARinC/4Tf0Yk4FfRUEy2Hzo5:tfLmNlz/XUyZTAl8jOiiifDzo5

Score
10/10
raccoonfda6c8debb0b6b5a1d9698b54b255a7ddiscoveryspywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

fda6c8debb0b6b5a1d9698b54b255a7d

C2

http://91.92.255.182:80/

Attributes
  • user_agent

    MrBidenNeverKnow

xor.plain

Targets

    • Target

      de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3

    • Size

      718KB

    • MD5

      1bf24ce8b5e34930932432d626fac06d

    • SHA1

      32276318f55c1118980f98377968de0f78c9227e

    • SHA256

      de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3

    • SHA512

      d3885e43fe5189eb37cdf4518f05c9096685974db4eefd96260e2db8b17cda13b67861cef2247aeb12baed7ca59c892c82f855c5179e54213f861d2c352ce4fa

    • SSDEEP

      12288:tfLmWONlyXjI/kkJzHSomfaeITAl5aqzTuCTTcARinC/4Tf0Yk4FfRUEy2Hzo5:tfLmNlz/XUyZTAl8jOiiifDzo5

    Score
    10/10
    discoveryspywarestealerraccoonfda6c8debb0b6b5a1d9698b54b255a7d

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V2 payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $INTERNET_CACHE/Counting

    • Size

      281KB

    • MD5

      a262219e61af791c944a87d07bac0075

    • SHA1

      d74aeaa010271d13e1edc54bc73601e57f020c49

    • SHA256

      0177bcf1e6862c139fae08a9c6027f68989b4f68a239b64fab7449d1c421ddc0

    • SHA512

      116ce3a1349a17f8b14a5c2a35af9008d8ffbdeae5e3b2a22f9cedbb18f2af564cc8b7762b30c643265eb16907df02a5c75fb3d141db0646f46bf777b855febb

    • SSDEEP

      6144:A6IANxWUO1LsAotpxlZsgGrinm/O/wmJp9b:l/xWUftpxlZsgGZmJp9b

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks