raccoon | b4fb873efe46af1c642cf95c769636299db7a264dae7c6ac98043d69a13a32c2

General

Target

111.exe
Size

1.1MB
MD5

2811be8de6af1ee6bedcc961c9001e32
SHA1

535ddd8df6536df9ad9b7bb542d02c3bba3f4501
SHA256

b4fb873efe46af1c642cf95c769636299db7a264dae7c6ac98043d69a13a32c2
SHA512

929a852d2b7287480d22a04c59b18dc6533e7f838515c55d48f1232fb4289f3f4f0cf4144f400ae850f13cd4e81d320cd0e52fd880cb8b55a72ae19477fef1e3

Score

10^/10

spyware stealer raccoon

Malware Config

Extracted

Family

raccoon

Botnet

e4c70942470abe329d09148289e517bba5dc8de8

C2

http://34.77.125.60/gate/log.php

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=1qZrnBBnNnNNwKTzUp7lRHQjySnzCdh12

rc4.plain

Signatures

Executes dropped EXE 2 IoCs

Processes:

smss.comsmss.com

pid process

3928 smss.com
3168 smss.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

smss.comsmss.com

pid process

3928 smss.com
3928 smss.com
3928 smss.com
3168 smss.com
3168 smss.com
3168 smss.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

smss.com

description pid process target process

PID 3168 set thread context of 4008 3168 smss.com svchost.exe

pid	process
3928	smss.com
3168	smss.com

pid	process
3928	smss.com
3928	smss.com
3928	smss.com
3168	smss.com
3168	smss.com
3168	smss.com

description	pid	process	target process
PID 3168 set thread context of 4008	3168	smss.com	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Loads dropped DLL 2 IoCs

Processes:

111.exesvchost.exe

pid process

3988 111.exe
4008 svchost.exe

pid	process
3988	111.exe
4008	svchost.exe

Suspicious use of WriteProcessMemory 60021 IoCs

Processes:

111.execmd.exesmss.comsmss.com

description	pid	process	target process
PID 3988 wrote to memory of 3636	3988	111.exe	cmd.exe
PID 3988 wrote to memory of 3636	3988	111.exe	cmd.exe
PID 3988 wrote to memory of 3636	3988	111.exe	cmd.exe
PID 3636 wrote to memory of 992	3636	cmd.exe	certutil.exe
PID 3636 wrote to memory of 992	3636	cmd.exe	certutil.exe
PID 3636 wrote to memory of 992	3636	cmd.exe	certutil.exe
PID 3636 wrote to memory of 3928	3636	cmd.exe	smss.com
PID 3636 wrote to memory of 3928	3636	cmd.exe	smss.com
PID 3636 wrote to memory of 3928	3636	cmd.exe	smss.com
PID 3928 wrote to memory of 3168	3928	smss.com	smss.com
PID 3928 wrote to memory of 3168	3928	smss.com	smss.com
PID 3928 wrote to memory of 3168	3928	smss.com	smss.com
PID 3636 wrote to memory of 3884	3636	cmd.exe	timeout.exe
PID 3636 wrote to memory of 3884	3636	cmd.exe	timeout.exe
PID 3636 wrote to memory of 3884	3636	cmd.exe	timeout.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe
PID 3168 wrote to memory of 4008	3168	smss.com	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

smss.comsmss.com

pid process

3928 smss.com
3928 smss.com
3928 smss.com
3168 smss.com
3168 smss.com
3168 smss.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3364 4008 WerFault.exe svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3364 WerFault.exe
Token: SeBackupPrivilege 3364 WerFault.exe
Token: SeDebugPrivilege 3364 WerFault.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3884 timeout.exe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

pid	process
3928	smss.com
3928	smss.com
3928	smss.com
3168	smss.com
3168	smss.com
3168	smss.com

pid	pid_target	process	target process
3364	4008	WerFault.exe	svchost.exe

description	pid	process
Token: SeRestorePrivilege	3364	WerFault.exe
Token: SeBackupPrivilege	3364	WerFault.exe
Token: SeDebugPrivilege	3364	WerFault.exe

pid	process
3884	timeout.exe

C:\Users\Admin\AppData\Local\Temp\111.exe
"C:\Users\Admin\AppData\Local\Temp\111.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c <nul set /p ="M" > smss.com & type lsm.com >> smss.com & del lsm.com & certutil -decode bolo.com treaz & smss.com treaz & timeout 3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode bolo.com treaz
    3⤵
    PID:992
- - C:\Users\Admin\AppData\Roaming\smss.com
    smss.com treaz
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    - Suspicious use of FindShellTrayWindow
    PID:3928
  - - C:\Users\Admin\AppData\Roaming\smss.com
      C:\Users\Admin\AppData\Roaming\smss.com treaz
      4⤵
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      Suspicious use of FindShellTrayWindow
      PID:3168
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        Loads dropped DLL
        
        PID:4008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1640
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bolo.com

Download Submit
C:\Users\Admin\AppData\Roaming\dKNP.com

Download Submit
C:\Users\Admin\AppData\Roaming\lsm.com

Download Submit
C:\Users\Admin\AppData\Roaming\smss.com

Download Submit
C:\Users\Admin\AppData\Roaming\smss.com

Download Submit
C:\Users\Admin\AppData\Roaming\treaz

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsb689E.tmp\nsExec.dll

Download Submit
memory/3364-11-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/3364-12-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4008-7-0x0000000000180000-0x000000000020A000-memory.dmp

Filesize
552KB

Download
memory/4008-9-0x0000000000180000-0x000000000020A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing