Fallout Exploit Kit delivers Raccoon Stealer

I have added a zipped pcap file for your analysis. The password for the zipped pcap is “infected” all lowercase.

PCAP file of the infection traffic:
2020-02-24-Fallout-EK-Raccoon-pcap.zip

 

ASSOCIATED DOMAINS:

192.185.129.82 – birosthalittc.in – REDIRECT TO FALLOUT EK
167.71.129.38 – grill4u3.com/Loricoid/07_12_1920/QW6.aspx?chrysopid=4320-stogeies-11063 – FALLOUT EK
35.228.215.155 – POST /gate/log.php – RACCOON STEALER
35.228.215.155 – GET /gate/sqlite3.dll – RACCOON STEALER
35.228.215.155 – GET /gate/libs.zip – RACCOON STEALER
35.228.215.155 – POST /file_handler/file.php – RACCOON STEALER

 


Shown above: Network traffic associated with the Fallout Exploit Kit and Raccoon Stealer infection

 

Raccoon Stealer Original Payload:
Filename: \AppData\LocalLow\cFOkVQWp.tmp
SHA256: 6452BCE880E9B68C2F3FADBE82DBD1B6C4A62A77D58C6731F1987CCF56FEC2BC
https://www.virustotal.com/gui/file/6452bce880e9b68c2f3fadbe82dbd1b6c4a62a77d58c6731f1987ccf56fec2bc/detection