raccoon | b67e506c5b8f79ad835ffe9ca039d2bf3109d10676e832c2da761b8714657a55

General

Target

348f0076f012ff2394b7c1c21dc91876.exe
Size

1.4MB
MD5

348f0076f012ff2394b7c1c21dc91876
SHA1

0cf8cfde66b6e6c1cbf64e1fe0a29dc56dec961b
SHA256

b67e506c5b8f79ad835ffe9ca039d2bf3109d10676e832c2da761b8714657a55
SHA512

37268bb8a9dc25365867819bd384239a1db5b8d35a3e3fbcc851400eb4b1e557b48adc7151d83ca0f073f814a0749a71c6dce2fc88dabbc542c24f230acff8c7

Score

10^/10

spyware discovery stealer raccoon

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.2 Kushage Release Build compiled on Mon Oct 28 17:22:24 2019 Launched at: 2020.02.12 - 20:16:30 GMT Bot_ID: 293FA5BD-EDFB-4BBA-800E-A7DCE3EA3438_Admin ============ System Information: - System Language: English - ComputerName: DQPLNXWK - Username: Admin - IP: 154.61.71.13 - Windows version: NT 6.2 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (724 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

raccoon

Botnet

316ff478595e2db6ecc2380dc0039736dea133bc

C2

http://34.76.55.103/gate/log.php

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=1Bi_uNdZ2iSQljAb5TSljuYV1vp5edk1X

rc4.plain

Signatures

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

348f0076f012ff2394b7c1c21dc91876.exe

pid process

4932 348f0076f012ff2394b7c1c21dc91876.exe

pid	process
4932	348f0076f012ff2394b7c1c21dc91876.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

348f0076f012ff2394b7c1c21dc91876.exe

description	pid	process	target process
PID 4932 wrote to memory of 4580	4932	348f0076f012ff2394b7c1c21dc91876.exe	348f0076f012ff2394b7c1c21dc91876.exe
PID 4932 wrote to memory of 4580	4932	348f0076f012ff2394b7c1c21dc91876.exe	348f0076f012ff2394b7c1c21dc91876.exe
PID 4932 wrote to memory of 4580	4932	348f0076f012ff2394b7c1c21dc91876.exe	348f0076f012ff2394b7c1c21dc91876.exe
PID 4932 wrote to memory of 4580	4932	348f0076f012ff2394b7c1c21dc91876.exe	348f0076f012ff2394b7c1c21dc91876.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

348f0076f012ff2394b7c1c21dc91876.exe

description pid process target process

PID 4932 set thread context of 4580 4932 348f0076f012ff2394b7c1c21dc91876.exe 348f0076f012ff2394b7c1c21dc91876.exe
Loads dropped DLL 3 IoCs

Processes:

348f0076f012ff2394b7c1c21dc91876.exe

pid process

4580 348f0076f012ff2394b7c1c21dc91876.exe
4580 348f0076f012ff2394b7c1c21dc91876.exe
4580 348f0076f012ff2394b7c1c21dc91876.exe
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 4932 set thread context of 4580	4932	348f0076f012ff2394b7c1c21dc91876.exe	348f0076f012ff2394b7c1c21dc91876.exe

pid	process
4580	348f0076f012ff2394b7c1c21dc91876.exe
4580	348f0076f012ff2394b7c1c21dc91876.exe
4580	348f0076f012ff2394b7c1c21dc91876.exe

Checks for installed software on the system 1 TTPs 27 IoCs

discovery

Query Registry

T1012

Processes:

348f0076f012ff2394b7c1c21dc91876.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	348f0076f012ff2394b7c1c21dc91876.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

348f0076f012ff2394b7c1c21dc91876.exe

pid process

4932 348f0076f012ff2394b7c1c21dc91876.exe

pid	process
4932	348f0076f012ff2394b7c1c21dc91876.exe

C:\Users\Admin\AppData\Local\Temp\348f0076f012ff2394b7c1c21dc91876.exe
"C:\Users\Admin\AppData\Local\Temp\348f0076f012ff2394b7c1c21dc91876.exe"
1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
PID:4932
- C:\Users\Admin\AppData\Local\Temp\348f0076f012ff2394b7c1c21dc91876.exe
  C:\Users\Admin\AppData\Local\Temp\348f0076f012ff2394b7c1c21dc91876.exe
  2⤵
  - Loads dropped DLL
  - Checks for installed software on the system
  PID:4580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Download Submit
memory/4580-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads