Overview

overview

10

Static

static

5efc99d9f6...c5.exe

windows7_x64

10

5efc99d9f6...c5.exe

windows10_x64

10

Analysis

  • max time kernel
    13s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-02-2021 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5efc99d9f6a8e501f7196aac0c8f82c5.exe

  • Size

    555KB

  • MD5

    5efc99d9f6a8e501f7196aac0c8f82c5

  • SHA1

    61565efdd1d8300d91795fd514219c6f92a1ef3e

  • SHA256

    48543c618981b229afd8f50a0cc5581e4325d098b1fc95c3074609d31e5e86a3

  • SHA512

    f43d2b1b397a18c249ab83fbe944ba6e0421497ed3a3cb3247b10ba0ef663674902713fa6a55e6c5662f171d25cc91262bb99c004f669bb6e59b10006f2e1d93

Score
10/10
raccoona3a85b69314053c3bb015532d1a960a3d08baeb8stealer

Malware Config

Extracted

Family

raccoon

Botnet

a3a85b69314053c3bb015532d1a960a3d08baeb8

Attributes
  • url4cnc

    https://telete.in/baudemars

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5efc99d9f6a8e501f7196aac0c8f82c5.exe
    "C:\Users\Admin\AppData\Local\Temp\5efc99d9f6a8e501f7196aac0c8f82c5.exe"
    1⤵
      PID:4764
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 732
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 844
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3244
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 820
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 832
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 860
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4272

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3116-11-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3244-8-0x0000000004620000-0x0000000004621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3508-5-0x00000000047B0000-0x00000000047B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3508-6-0x00000000047B0000-0x00000000047B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4224-14-0x0000000004930000-0x0000000004931000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4272-17-0x0000000004F20000-0x0000000004F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4764-2-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4764-4-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB

      Download
    • memory/4764-3-0x0000000000960000-0x00000000009F2000-memory.dmp
      Filesize

      584KB

      Download