raccoon | 43eb644d0682f9bc85745c538015ba9ad19b10116792b5e5aa5da33b6c3af797

General

Target

host.bin.exe
Size

496KB
MD5

e4f4e051625054d753730fd9183c4a34
SHA1

d538ffffd82540752a23d5defc90e501093861bf
SHA256

43eb644d0682f9bc85745c538015ba9ad19b10116792b5e5aa5da33b6c3af797
SHA512

10178975c49c2fc1c414ad1d106d1e46c0fa4bd1748bba24c80b7ff982da034019d69bba3b559255632a8df953dab7ec901b979d8be99ee88efefb3cbd9861a5

Score

10^/10

spyware discovery stealer raccoon

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5 Release Build compiled on Tue Apr 7 15:04:24 2020 Launched at: 2020.04.15 - 16:53:27 GMT Bot_ID: 953DAA47-DD2D-4C7C-A4F4-C374A8807DB1_Admin Running on a desktop =R=A=C=C=O=O=N= System Information: - System Language: English - System TimeZone: -0 hrs - ComputerName: NHGEBMNE - Username: Admin - IP: 154.61.71.13 - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (652 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

raccoon

Botnet

ff236091d9fbac249beeec4137efd72b5327efd9

C2

http://35.240.36.208/gate/log.php

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=12JPrOMXQIwvLmvbb60igt1JLe1WETE6M

rc4.plain

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

host.bin.exe

pid process

296 host.bin.exe
296 host.bin.exe
Loads dropped DLL 3 IoCs

Processes:

host.bin.exe

pid process

296 host.bin.exe
296 host.bin.exe
296 host.bin.exe

pid	process
296	host.bin.exe
296	host.bin.exe

pid	process
296	host.bin.exe
296	host.bin.exe
296	host.bin.exe

Checks for installed software on the system 1 TTPs 30 IoCs

discovery

Query Registry

T1012

Processes:

host.bin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	host.bin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	host.bin.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	host.bin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	host.bin.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	host.bin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	host.bin.exe
Key opened	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	host.bin.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3940 timeout.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

host.bin.exe

pid process

3996 host.bin.exe

pid	process
3940	timeout.exe

pid	process
3996	host.bin.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

host.bin.exehost.bin.execmd.exe

description	pid	process	target process
PID 3996 wrote to memory of 296	3996	host.bin.exe	host.bin.exe
PID 3996 wrote to memory of 296	3996	host.bin.exe	host.bin.exe
PID 3996 wrote to memory of 296	3996	host.bin.exe	host.bin.exe
PID 3996 wrote to memory of 296	3996	host.bin.exe	host.bin.exe
PID 296 wrote to memory of 4004	296	host.bin.exe	cmd.exe
PID 296 wrote to memory of 4004	296	host.bin.exe	cmd.exe
PID 296 wrote to memory of 4004	296	host.bin.exe	cmd.exe
PID 4004 wrote to memory of 3940	4004	cmd.exe	timeout.exe
PID 4004 wrote to memory of 3940	4004	cmd.exe	timeout.exe
PID 4004 wrote to memory of 3940	4004	cmd.exe	timeout.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

host.bin.exe

pid process

3996 host.bin.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

host.bin.exe

description pid process target process

PID 3996 set thread context of 296 3996 host.bin.exe host.bin.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3996	host.bin.exe

description	pid	process	target process
PID 3996 set thread context of 296	3996	host.bin.exe	host.bin.exe

C:\Users\Admin\AppData\Local\Temp\host.bin.exe
"C:\Users\Admin\AppData\Local\Temp\host.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3996
- C:\Users\Admin\AppData\Local\Temp\host.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\host.bin.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Loads dropped DLL
  - Checks for installed software on the system
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\host.bin.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/296-7-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/296-8-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3996-2-0x000000000078D000-0x0000000000790000-memory.dmp

Filesize
12KB

Download
memory/3996-3-0x000000000079E000-0x00000000007A3000-memory.dmp

Filesize
20KB

Download
memory/3996-4-0x000000000087A000-0x000000000087F000-memory.dmp

Filesize
20KB

Download
memory/3996-5-0x000000000087A000-0x000000000087F000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads