raccoon | 97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e

Resubmissions

27-02-2020 14:32

24-02-2020 18:10

18-02-2020 14:57

Target

97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe
Size

637KB
MD5

f8e8da4bcb00ac0f4c52392719c7361e
SHA1

accedfe263fca73d78eab360f7afe9d131b062bd
SHA256

97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e
SHA512

aa3614c91419afdcfb7f8ae0bc603580289434d439d0f6fed31c5ea4ab97ba7beb5973f7560f4f12ea0bdf5cea842ff84cf8f587b7bf79e182ba378df22a07e5

Score

10^/10

stealer raccoon

Family

raccoon

Botnet

89379f5371f470435351b0d002d50f28a65fff02

http://104.155.44.42/gate/log.php

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=1jN5ZmsLRZEQEtxsUIIVXnSOKaqBdnX6Z

rc4.plain

Suspicious use of SetThreadContext 1 IoCs

Processes:

97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe

description	pid	process	target process
PID 4040 set thread context of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe

description	pid	process	target process
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe
PID 4040 wrote to memory of 3624	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe

description pid process

Token: SeDebugPrivilege 4040 97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe

description	pid	process
Token: SeDebugPrivilege	4040	97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe

C:\Users\Admin\AppData\Local\Temp\97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe
"C:\Users\Admin\AppData\Local\Temp\97efb8b6fc0c9b84e02a02372ec9e6b0bfb95cadd63d9941d7815d58adc5849e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3624

memory/3624-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3624-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download