raccoon | 5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad

General

Target

5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe
Size

514KB
MD5

497aeffe6df59a1b343318ba0f1ce85d
SHA1

0386697040b616f12ece654dea903c0c2cd241d1
SHA256

5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad
SHA512

4b31951d44f5f84c343ef9ac60f757b1ccabad4b043b7305db7c85e665bd4d6b84e55f3b6d22ea76d462cdafcfcf28a685a7aa280344313199efb7e9a276a830

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3432	4640	WerFault.exe	5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe
4240	4640	WerFault.exe	5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe
756	4640	WerFault.exe	5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe
4172	4640	WerFault.exe	5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe
4080	4640	WerFault.exe	5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe
4392	4640	WerFault.exe	5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe

Suspicious behavior: EnumeratesProcesses 84 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
4240	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3432	WerFault.exe
Token: SeBackupPrivilege	3432	WerFault.exe
Token: SeDebugPrivilege	3432	WerFault.exe
Token: SeDebugPrivilege	4240	WerFault.exe
Token: SeDebugPrivilege	756	WerFault.exe
Token: SeDebugPrivilege	4172	WerFault.exe
Token: SeDebugPrivilege	4080	WerFault.exe
Token: SeDebugPrivilege	4392	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe
"C:\Users\Admin\AppData\Local\Temp\5246bb9190cbafb997fa24b0f9fa33e89f3f3cf9172d1b447e2303ba31b419ad.exe"
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 736
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 848
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 736
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 896
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1208
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1292
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-10-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/756-13-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3432-5-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/3432-2-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/3432-3-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/4080-24-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4080-20-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/4172-14-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4172-17-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4240-9-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4240-6-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/4392-86-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4392-89-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/4640-1-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/4640-0-0x00000000025E2000-0x00000000025E3000-memory.dmp

Filesize
4KB

Download
memory/4640-84-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/4640-85-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads