General

  • Target

    payload.bin

  • Size

    413KB

  • Sample

    191202-tlqmh39dms

  • MD5

    78d9ee4ebd4513402dffaf2efccbad0e

  • SHA1

    713576099fea6dd4c37e84e2c507bc1e7f027948

  • SHA256

    9d86acff939f2bab3d4a8a8eed8581475189a3e76ba03bbe30e7b36c4b0ffd38

  • SHA512

    f611fea65cacd42c488aa4ae365e38a96f154e79b1e283efef0b8a6aa0c6b8a0d3e7317d57209317b5d0b9a7822ece8809ac7c0a15df1b7328c447314971034d

Malware Config

Targets

    • Target

      payload.bin

    • Size

      413KB

    • MD5

      78d9ee4ebd4513402dffaf2efccbad0e

    • SHA1

      713576099fea6dd4c37e84e2c507bc1e7f027948

    • SHA256

      9d86acff939f2bab3d4a8a8eed8581475189a3e76ba03bbe30e7b36c4b0ffd38

    • SHA512

      f611fea65cacd42c488aa4ae365e38a96f154e79b1e283efef0b8a6aa0c6b8a0d3e7317d57209317b5d0b9a7822ece8809ac7c0a15df1b7328c447314971034d

    • Raccoon

      It's the RaccAttack!

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

    • Checks for installed software on the system

    • Modifies system certificate store

    • Reads 7star user data, possible credential harvesting

    • Reads Amigo user data, possible credential harvesting

    • Reads Bromium user data, possible credential harvesting

    • Reads Centbrowser user data, possible credential harvesting

    • Reads Chedot user data, possible credential harvesting

    • Reads Chrome SxS user data, possible credential harvesting

    • Reads Chrome user data, possible credential harvesting

    • Reads Chromium user data, possible credential harvesting

    • Reads Dragon user data, possible credential harvesting

    • Reads Elements browser user data, possible credential harvesting

    • Reads Epic privacy browser user data, possible credential harvesting

    • Reads Firefox user profile, possible credential harvesting

    • Reads Go! user data, possible credential harvesting

    • Reads Kometa user data, possible credential harvesting

    • Reads Mustang user data, possible credential harvesting

    • Reads Nichrome user data, possible credential harvesting

    • Reads Orbitum user data, possible credential harvesting

    • Reads Pale Moon browser user profile, possible credential harvesting

    • Reads Qip surf user data, possible credential harvesting

    • Reads Rockmelt user data, possible credential harvesting

    • Reads Secure browser user data, possible credential harvesting

    • Reads Sputnik user data, possible credential harvesting

    • Reads Suhba user data, possible credential harvesting

    • Reads Superbird user data, possible credential harvesting

    • Reads Tor Browser user profile, possible credential harvesting

    • Reads Torch user data, possible credential harvesting

    • Reads Uran user data, possible credential harvesting

    • Reads Vivaldi user data, possible credential harvesting

    • Reads Waterfox user profile, possible credential harvesting

    • Reads user profile for Thunderbird email client, possible credential harvesting

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

30
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

30
T1005

Tasks