The malware is extract from the dropper which is similar to Aggah campaign.
Unfortunately, can’t proceed the analysis further as there is some issue with the respond from c2 server 😔. Maybe they removed the support for this build.
However, still try my best to get all remaining the things done.
Get machine GUID
Get GUID by reading the value in regkey
Create bot_id by concatenate GUID and username
Is Russian, Ukranian, Belarusian, Kazakh, Krygyz, Armenian, Tajik, Uzbek?
If yes, quit the process. No, continue malicious act.
Get C2 url
Get the config and require files
Send POST request to C2 server with parameter
bot_id=%machineGUID%_%username%&config_id=%configID%&data=null which is encoded wit base64.
Error from C2 makes my analysis stuck here …
GDrive Link (to reveal the address of C&C server)
C&C (To get the config and required files)
Raccoon: The Story of a Typical Infostealer | CyberArk
February 24, 2020 | | Ben Cohen | An infostealer is a type of malware that is focused on gathering sensitive and…
Info Stealers | How Malware Hacks Private User Data - SentinelLabs
One of the most common types of malware found nowadays are known as Info-Stealers. As the name suggests, the sole…