raccoon | 0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9

General

Target

0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe
Size

485KB
MD5

0188db2bc266f5a2ed558ead41ef284d
SHA1

3450f799120b5b03e24dd12224b162902c54b8a8
SHA256

0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9
SHA512

920a3674f21162027553d398c66c808e283ea25990c6ef8852ed1265c2a85759322b5f0cc0355cca16a19abf89c30c616e476a336edfa4bafb238da59eb6b4b9

Score

10^/10

raccoon stealer

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1780	2208	WerFault.exe	0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe
1752	2208	WerFault.exe	0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe
712	2208	WerFault.exe	0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe
2804	2208	WerFault.exe	0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe
3944	2208	WerFault.exe	0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe
2056	2208	WerFault.exe	0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe

Suspicious behavior: EnumeratesProcesses 84 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

C:\Users\Admin\AppData\Local\Temp\0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe
"C:\Users\Admin\AppData\Local\Temp\0a960704c8bcb0ed112cfe822f2ddb664669ffbddbdc936eb57976949db0faf9.exe"
1⤵
PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 736
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 820
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 824
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 896
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1188
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1200
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2056

memory/712-13-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/712-10-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1752-6-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/1752-9-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1780-3-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1780-5-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1780-2-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/2056-22-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2056-25-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2208-0-0x0000000000C92000-0x0000000000C93000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/2804-14-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/2804-17-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/3944-18-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/3944-21-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download