raccoon | 7c0f865eb289347327a93774d91a5154cfdaf5e3a31318bedf5024463bcac4eb

General

Target

pa1reui4zmqkzf1.exe
Size

5.5MB
MD5

faba8d1f0a1c89d9bde654edb128da56
SHA1

c64d7afcfd3605acc7ff3ce8959f7976c0de437b
SHA256

7c0f865eb289347327a93774d91a5154cfdaf5e3a31318bedf5024463bcac4eb
SHA512

73a35c72783ea3c13228116efca8fde220271e4dbd73c19834ae97dacc91df528e432e4daa25b1bd8bda680b534929054c2bb7b57d9f5be119d2b00b65f70a25

Score

10^/10

spyware stealer raccoon

Malware Config

Extracted

Family

raccoon

Botnet

89379f5371f470435351b0d002d50f28a65fff02

C2

http://104.155.44.42/gate/log.php

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=1jN5ZmsLRZEQEtxsUIIVXnSOKaqBdnX6Z

rc4.plain

Signatures

Reads browser user data or profiles (possible credential harvesting) 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

pa1reui4zmqkzf1.exe

description	pid	process	target process
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe
PID 3560 wrote to memory of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pa1reui4zmqkzf1.exe

description pid process target process

PID 3560 set thread context of 3096 3560 pa1reui4zmqkzf1.exe RegAsm.exe
Loads dropped DLL 1 IoCs

Processes:

RegAsm.exe

pid process

3096 RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3280 3096 WerFault.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3280 WerFault.exe
Token: SeBackupPrivilege 3280 WerFault.exe
Token: SeDebugPrivilege 3280 WerFault.exe

description	pid	process	target process
PID 3560 set thread context of 3096	3560	pa1reui4zmqkzf1.exe	RegAsm.exe

pid	process
3096	RegAsm.exe

pid	pid_target	process	target process
3280	3096	WerFault.exe	RegAsm.exe

description	pid	process
Token: SeRestorePrivilege	3280	WerFault.exe
Token: SeBackupPrivilege	3280	WerFault.exe
Token: SeDebugPrivilege	3280	WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe
3280	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\pa1reui4zmqkzf1.exe
"C:\Users\Admin\AppData\Local\Temp\pa1reui4zmqkzf1.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  PID:3096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 1728
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:3280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/3096-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3096-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3280-7-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3280-8-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing