General

  • Target

    a8eb804aed19ff28f8125358d3e2349afd613e423c081fd6b027a0ea345c2886

  • Size

    5.4MB

  • Sample

    241107-k12gkazane

  • MD5

    9ce41df34f5a485145196b97ec695f00

  • SHA1

    7548743eb28c9241b51472cca7e79cafa87074b8

  • SHA256

    a8eb804aed19ff28f8125358d3e2349afd613e423c081fd6b027a0ea345c2886

  • SHA512

    77cbc3c9adec8b848db5c31e170632c902693ff2e525ccb55da05592078e268e584b2095029cfe3aa7ad2cfb26e2a23f9a1f8ff046a5b1239291a153c4cdc24e

  • SSDEEP

    98304:6IxYMuVTHphqbk6Ao0Bs3+4dbi8R1BV5qxRJ36XUR+o0LVAeShTu47LYRrCdJKyW:7GpVrvqdAoSEb/rBV5OuToVjLYBkJrTi

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Version

1.7.3

Botnet

5c07c7a19b0c108c44d95accd1e1b897aa1528e1

Attributes
  • url4cnc

    https://telete.in/fsp1boomgasio

rc4.plain
rc4.plain

Targets

    • Target

      Versium Research/028d53f5224f9cc8c60bd953504f1efa.exe

    • Size

      4.4MB

    • MD5

      90a0bd1a164b2af8a7b15f75ab07e3f1

    • SHA1

      c8def0f5b75c51b2efa40b07ebe035566d8be1a1

    • SHA256

      276387214b560792419a07b097ee76400519c2c902f378207d30acf851ac2213

    • SHA512

      b0cd55af23728cbf3a63392c492aff201df688f1185eb5f577e56151c8d871d49ae392d51bdfdf0dde360d86fc919174015d6d6cabbd3c3f59cdec5ca53bf4c0

    • SSDEEP

      98304:N9q+oGJo+qJJL2CXFhmOdc3hKpw0dx4juSWejiXkiOvNqwf7BiqK8XaYtXBr:zq+oGeyUw0wjuSW/XkfNJ74qXDr

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba family

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Target

      Versium Research/Bot_Checker.exe

    • Size

      56KB

    • MD5

      391ca27e1e5cc0da88d1fcc8df1d0d85

    • SHA1

      25bd7c5b7d88bcd01610226fccb0910b48dc1eee

    • SHA256

      a9ee4862c1e7931ef8366b090ac1f3212e79cc17d7737f537978d9a3fb0c5ef1

    • SHA512

      2dbb84eb664798766a669c7d407be76d5154bd7d0b99f2c2371ad0ae3e1124605df0771b228f7a3406f023fa9cbba3022afb5b48207cf1eb14d94cda7a5117f9

    • SSDEEP

      768:dQR+JJlY3yGJxNojkTnJI6TWzzejkZy/xbD9BxufhqXKClqp9:NAoITdT0Zy5bZXYmlqp9

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      Versium Research/Uninstall.exe

    • Size

      97KB

    • MD5

      a8c53399726fea24e4af993e971df5af

    • SHA1

      50b4c4d3cf172106417dc0e59eaa63bf7cd0603e

    • SHA256

      6b13a733947bc2395695cc6f9a8b59eae88cf6467e368a810bcac0c10d6c46a6

    • SHA512

      b2159712ecfa8f7e9a75a190e858cc791bcdcd19118a6db40041d7ffbda531343a63244d35012702dda8514191e8bf6e838ab896c9db232f2c163fc4d4cd2bf9

    • SSDEEP

      1536:zO/z6hPABUjO/Zd1716EoLiL4l1HdIaqQPDm0xK8i6f0Zn9PRVW8sW45o75U:kzgjO/Zd1RePDmZ8tf05iW4u1U

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Versium Research/Versium.exe

    • Size

      746KB

    • MD5

      393d6260e39b68b2d60300e4f62ebc83

    • SHA1

      16c58c5b7dee3ce4c3a40925ba4eed3c188faf46

    • SHA256

      e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3

    • SHA512

      d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198

    • SSDEEP

      6144:d/QiQXCz5m+ksmpk3U9j0IMsoxvjFEOTb9WmZX/8shzdsY4CpHPhnBvudg:VQi3zc6m6UR0IMp1hf39Wkv8xwJB2i

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Versium Research/VersiumResearch32bit.exe

    • Size

      504KB

    • MD5

      8479bce60218cd871c118308ded82d39

    • SHA1

      0388ec861b2ac5c7f4dc6eed249d92d3002fe66e

    • SHA256

      15078be80772a449383c5f6a7631955039b82ebaf507ab67e61093b70b98dc43

    • SHA512

      f4be47baee6baeacbe1e27174ad83700efc78ab2d02262d718c7436d2304fc16618a5911bed63ed8d2e947af3c511d17b77ddfccea9a4e6aab9f3956fcf322f8

    • SSDEEP

      12288:KZCvp4LezCdIzVgs4Bi9ecBTBB85c50J3FTI:KZuKezCqzVgsy8acqBI

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon Stealer V1 payload

    • Raccoon family

    • Target

      Versium Research/VersiumResearch64bit.exe

    • Size

      252KB

    • MD5

      ee19bc8a2b6c6fd7c30037389457a4df

    • SHA1

      e1fca1cc33574e59dec62763ee6e7de1a5198095

    • SHA256

      76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0

    • SHA512

      38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001

    • SSDEEP

      3072:45uNO+8s6V5WQZV08YLmqa/Qh10UNtGOWmA3hLKKKKKU8AAFTbp8ELQHsoOJNuY2:45W8sscuVVYLOoh1MGfJXnIZRhv

    Score
    1/10
    • Target

      Versium Research/Versiumresearch.exe

    • Size

      163KB

    • MD5

      b1dbc3b027105d8032541bc0c5e71abb

    • SHA1

      1ef1950ecb44e6bd8d0a3849868ec9a0ceaa1130

    • SHA256

      b0eb54f46e5919460cb8d21fdcd695e3356b6311ab0547f18dc3d84a66a14bc4

    • SHA512

      3f7fd0aa71e6fae5eeaf16cc47a1ac43cdd1f643c1e7e439eb068685558929cf3c74552ad70fbf2d6cad94cc11bb8ea9c099ef1401b868947f1a9e5e44b34f7b

    • SSDEEP

      3072:3iwHlYGynq3D2/NS6hskuAM44ht1kENNUUd/mYK:bGGD21S6hskuAC/vNNw

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks