raccoon | hxxp://5[.]61[.]33[.]200/henos[.]exe

General

Target

http://5.61.33.200/henos.exe
Sample

210225-1m7dl96gn2

Score

10^/10

raccoon 21caed469b59526d75348692eec1d8ae289ec69c stealer

Malware Config

Extracted

Family

raccoon

Botnet

21caed469b59526d75348692eec1d8ae289ec69c

Attributes

url4cnc
https://telete.in/j90maninblack

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 2836 created 4964 2836 WerFault.exe henos.exe
PID 3848 created 4168 3848 WerFault.exe henos.exe
Executes dropped EXE 2 IoCs

Processes:

henos.exehenos.exe

pid process

4964 henos.exe
4168 henos.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2836 4964 WerFault.exe henos.exe
3848 4168 WerFault.exe henos.exe

description	pid	process	target process
PID 2836 created 4964	2836	WerFault.exe	henos.exe
PID 3848 created 4168	3848	WerFault.exe	henos.exe

pid	process
4964	henos.exe
4168	henos.exe

pid	pid_target	process	target process
2836	4964	WerFault.exe	henos.exe
3848	4168	WerFault.exe	henos.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\henos.exe:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\henos.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe
3848	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

firefox.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeRestorePrivilege	2836	WerFault.exe
Token: SeBackupPrivilege	2836	WerFault.exe
Token: SeDebugPrivilege	2836	WerFault.exe
Token: SeDebugPrivilege	3848	WerFault.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe
Token: SeDebugPrivilege	3980	firefox.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

firefox.exe

pid	process
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

firefox.exe

pid	process
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

firefox.exe

pid	process
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 1144 wrote to memory of 3980	1144	firefox.exe	firefox.exe
PID 3980 wrote to memory of 360	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 360	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1204	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1768	3980	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://5.61.33.200/henos.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://5.61.33.200/henos.exe
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.0.1515205750\1389800827" -parentBuildID 20200403170909 -prefsHandle 1548 -prefMapHandle 1540 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 1632 gpu
3⤵
PID:360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.3.981386905\2082739148" -childID 1 -isForBrowser -prefsHandle 2296 -prefMapHandle 2292 -prefsLen 156 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 2308 tab
3⤵
PID:1204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.13.2127610964\1383672278" -childID 2 -isForBrowser -prefsHandle 3200 -prefMapHandle 3196 -prefsLen 7013 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 3212 tab
3⤵
PID:1768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.20.1394844916\1555071412" -childID 3 -isForBrowser -prefsHandle 4216 -prefMapHandle 1404 -prefsLen 7969 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 4112 tab
3⤵
PID:4352

C:\Users\Admin\Downloads\henos.exe
"C:\Users\Admin\Downloads\henos.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 660
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:420

C:\Users\Admin\Downloads\henos.exe
"C:\Users\Admin\Downloads\henos.exe"
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1108
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\henos.exe
MD5
bfbc5c7fdfdaf8147dbf6d1e4ea3e4f0

SHA1
318923e7cb849bee7f09fe18ea79e506311fb100

SHA256
7dca5264c8f0417686482b9f17571a60ac0e399180340deca165fe7fe2a9eb81

SHA512
24a9d67c7760fc867368be65b8a607f4ff364941d820f5cae38ec06aff1ccb299449e18ac70335bf7bd732ce92f80d752f3c6cc695073c8b0ade3e8017b8e2c6

Download Submit
C:\Users\Admin\Downloads\henos.exe
MD5
bfbc5c7fdfdaf8147dbf6d1e4ea3e4f0

SHA1
318923e7cb849bee7f09fe18ea79e506311fb100

SHA256
7dca5264c8f0417686482b9f17571a60ac0e399180340deca165fe7fe2a9eb81

SHA512
24a9d67c7760fc867368be65b8a607f4ff364941d820f5cae38ec06aff1ccb299449e18ac70335bf7bd732ce92f80d752f3c6cc695073c8b0ade3e8017b8e2c6

Download Submit
C:\Users\Admin\Downloads\henos.exe
MD5
bfbc5c7fdfdaf8147dbf6d1e4ea3e4f0

SHA1
318923e7cb849bee7f09fe18ea79e506311fb100

SHA256
7dca5264c8f0417686482b9f17571a60ac0e399180340deca165fe7fe2a9eb81

SHA512
24a9d67c7760fc867368be65b8a607f4ff364941d820f5cae38ec06aff1ccb299449e18ac70335bf7bd732ce92f80d752f3c6cc695073c8b0ade3e8017b8e2c6

Download Submit
memory/360-3-0x0000000000000000-mapping.dmp

Download
memory/1204-4-0x0000000000000000-mapping.dmp

Download
memory/1768-5-0x0000000000000000-mapping.dmp

Download
memory/2836-16-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/2836-17-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/3848-23-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/3980-2-0x0000000000000000-mapping.dmp

Download
memory/4168-22-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4168-20-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/4352-6-0x0000000000000000-mapping.dmp

Download
memory/4964-10-0x0000000004000000-0x0000000004092000-memory.dmp

Filesize
584KB

Download
memory/4964-11-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4964-9-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads