raccoon | 82214d13917ce35d7a08d47bcd2a053ad385d1f13fed5d06507eeb9471c918b2

General

Target

4wvbd5ykxwfxg.exe
Size

5.5MB
MD5

45a02b429739d0d3c02e972ec3964eb1
SHA1

2842b9f8f61c85543545946973b4b750b070fde1
SHA256

82214d13917ce35d7a08d47bcd2a053ad385d1f13fed5d06507eeb9471c918b2
SHA512

fded983fdf09401ce0f2633e9dd55623692dc4b29d49ebf49bffabd76e009f8946eb8a35ce2cfcfb5eec5542010229e66ce6fd38b9bae6f82ccc6d5510ae7562

Score

10^/10

spyware stealer raccoon

Malware Config

Extracted

Family

raccoon

Botnet

89379f5371f470435351b0d002d50f28a65fff02

C2

http://104.155.44.42/gate/log.php

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=1jN5ZmsLRZEQEtxsUIIVXnSOKaqBdnX6Z

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4wvbd5ykxwfxg.exe

description	pid	process	target process
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe
PID 3768 wrote to memory of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4wvbd5ykxwfxg.exe

description pid process target process

PID 3768 set thread context of 3112 3768 4wvbd5ykxwfxg.exe RegAsm.exe
Loads dropped DLL 1 IoCs

Processes:

RegAsm.exe

pid process

3112 RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3476 3112 WerFault.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3476 WerFault.exe
Token: SeBackupPrivilege 3476 WerFault.exe
Token: SeDebugPrivilege 3476 WerFault.exe

description	pid	process	target process
PID 3768 set thread context of 3112	3768	4wvbd5ykxwfxg.exe	RegAsm.exe

pid	process
3112	RegAsm.exe

pid	pid_target	process	target process
3476	3112	WerFault.exe	RegAsm.exe

description	pid	process
Token: SeRestorePrivilege	3476	WerFault.exe
Token: SeBackupPrivilege	3476	WerFault.exe
Token: SeDebugPrivilege	3476	WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe

Reads browser user data or profiles (possible credential harvesting) 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\4wvbd5ykxwfxg.exe
"C:\Users\Admin\AppData\Local\Temp\4wvbd5ykxwfxg.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  PID:3112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1740
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/3112-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3112-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3476-7-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/3476-8-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing