-
Notifications
You must be signed in to change notification settings - Fork 11
/
2020-09-01-IOCs-for-Raccoon-Stealer.txt
36 lines (27 loc) · 1.44 KB
/
2020-09-01-IOCs-for-Raccoon-Stealer.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
2020-09-01 (TUESDAY) - RACCOON STEALER ACTIVITY
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1301238990348091392
EMAIL INFO:
- Date: Wed, 2 Sep 2020 00:48:48 +0800 (HKT)
- Received: from mail.grandco.com.hk ([223.255.188.26])
- From: <[email protected]>
- Subject: Purchase Order
- Message-ID: <[email protected]>
- Attachment: Purchase Order.xlsx
ASSOCIATED MALWARE:
- SHA256 hash: 2ed32602e42ca10c7b505a3581ddb0dbbe0f3e19a6e8a63e6ff0a7325ca54a3b
- File size: 573,197 bytes
- File name: Purchase Order.xlsx
- File description: Excel spreadsheet with CVE-2017-11882 exploit for Raccoon Stealer
- SHA256 hash: c91e2df02ad2c8ccadc96054bceee4422382caa62d443e2633a003e4ce5c7476
- File size: 507,904 bytes
- File location: hxxp://boyama.medyanef[.]com/vendor/league/fractal/files/c7f6e7.exe
- File location: C:\Users\[username]\AppData\Roaming\RichX.com
- File description: Windows executable (EXE) file for Raccoon Stealer
INFECTION TRAFFIC:
- 93.113.63[.]58 port 80 - boyama[.]medyanef[.]com - GET /vendor/league/fractal/files/c7f6e7.exe
- 195.201.225[.]248 port 443 - telete[.]in - HTTPS traffic
- 34.89.241[.]53 port 80 - 34.89.241[.]53 - POST /gate/log.php
- 34.89.241[.]53 port 80 - 34.89.241[.]53 - GET /gate/sqlite3.dll
- 34.89.241[.]53 port 80 - 34.89.241[.]53 - GET /gate/libs.zip
- 34.89.241[.]53 port 80 - 34.89.241[.]53 - POST /file_handler4/file.php?hash=[hash string and other parameters]