Overview

overview

10

Static

static

864caa3b81...31.exe

windows7_x64

10

864caa3b81...31.exe

windows10_x64

10

Analysis

  • max time kernel
    109s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v191014
  • submitted
    12-02-2020 19:14

Sharing

Copy URL
Twitter E-mail

General

  • Target

    864caa3b81740d39b069b9cbb2e67d31.exe

  • Size

    1.9MB

  • MD5

    864caa3b81740d39b069b9cbb2e67d31

  • SHA1

    bdbf23ef85d6f0ead1482f2c06ea9dcc9f9bda53

  • SHA256

    32f98310a458d19c44263eb456e19ee2d6d16a3d096d9416596c7f24eb0d3074

  • SHA512

    b7a297e4486e17f141fdd45922a74fa4939c3172c8fc54ff91c8489e02cd658f9ede3a98c65e33b9d48ab4e40a867372e6b7407134734160c56bfb172a98e462

Score
10/10
evasionspywaretrojandiscoverystealerraccoon

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note
[Raccoon Stealer] - v1.4.2 Release Build compiled on Tue Dec 17 14:14:55 2019 Launched at: 2020.02.12 - 20:15:10 GMT Bot_ID: 18654976-C7DB-4A1A-8859-070035D242D5_Admin ============ System Information: - System Language: English - System TimeZone: -0 hrs - ComputerName: JUEOVPOM - Username: Admin - IP: 154.61.71.13 - Windows version: NT 6.1 - Product name: Windows 7 Professional - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 2047 MB (410 MB used) - Screen resolution: 1280x720 - Display devices: 0) Standard VGA Graphics Adapter ============

Extracted

Family

raccoon

Botnet

ee29149280396bb8bfd2a331aa61b6bca42540c7

C2

http://34.76.55.103/gate/log.php

Attributes
  • url4cnc

    https://drive.google.com/uc?export=download&id=10rzaNoF7YXiRpeyiHdkSdciNDW4V5jrc

rc4.plain
rc4.plain

Signatures

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Reads browser user data or profiles (possible credential harvesting) 2 TTPs
    spyware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Checks for installed software on the system 1 TTPs 28 IoCs
    discovery
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon

Processes

  • C:\Users\Admin\AppData\Local\Temp\864caa3b81740d39b069b9cbb2e67d31.exe
    "C:\Users\Admin\AppData\Local\Temp\864caa3b81740d39b069b9cbb2e67d31.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1444
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\SysWOW64\dllhost.exe"
      2⤵
      • Loads dropped DLL
      • Modifies system certificate store
      • Checks for installed software on the system
      PID:1348
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\864caa3b81740d39b069b9cbb2e67d31.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\SysWOW64\timeout.exe
        TimeOut 1
        3⤵
        • Delays execution with timeout.exe
        PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\LocalLow\AdLibs\mozglue.dll
    Download Submit

  • \Users\Admin\AppData\LocalLow\AdLibs\msvcp140.dll
    Download Submit

  • \Users\Admin\AppData\LocalLow\AdLibs\nss3.dll
    Download Submit

  • \Users\Admin\AppData\LocalLow\AdLibs\vcruntime140.dll
    Download Submit

  • \Users\Admin\AppData\LocalLow\sqlite3.dll
    Download Submit

  • memory/1348-0-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/1348-1-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download