raccoon | 924dd7da4bccf24de55307c9754c1e8e44f4706bdaebf80e8f9c60ebdb330635

General

Target

df49ccf5c15760b4162ee2e7bc3bf1cc.exe
Size

525KB
MD5

df49ccf5c15760b4162ee2e7bc3bf1cc
SHA1

c55bcfb1d4221252d9474fd3aa8627f1296daef0
SHA256

924dd7da4bccf24de55307c9754c1e8e44f4706bdaebf80e8f9c60ebdb330635
SHA512

15fda008804d8a9bc65bf115e6033b6de5b6e34391449a103e1b14e797df359272fcee6170df05d1d120826eb873a50a8dc1d29a3e9a54e18c8d3212deb2fece

Score

10^/10

raccoon 2ce901d964b370c5ccda7e4d68354ba040db8218 stealer

Malware Config

Extracted

Family

raccoon

Botnet

2ce901d964b370c5ccda7e4d68354ba040db8218

Attributes

url4cnc
https://telete.in/tomarsjsmith3

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

396 1240 WerFault.exe df49ccf5c15760b4162ee2e7bc3bf1cc.exe

pid	pid_target	process	target process
396	1240	WerFault.exe	df49ccf5c15760b4162ee2e7bc3bf1cc.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

df49ccf5c15760b4162ee2e7bc3bf1cc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	df49ccf5c15760b4162ee2e7bc3bf1cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	df49ccf5c15760b4162ee2e7bc3bf1cc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

396 WerFault.exe
396 WerFault.exe
396 WerFault.exe
396 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 396 WerFault.exe

pid	process
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	396	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

df49ccf5c15760b4162ee2e7bc3bf1cc.exe

description	pid	process	target process
PID 1240 wrote to memory of 396	1240	df49ccf5c15760b4162ee2e7bc3bf1cc.exe	WerFault.exe
PID 1240 wrote to memory of 396	1240	df49ccf5c15760b4162ee2e7bc3bf1cc.exe	WerFault.exe
PID 1240 wrote to memory of 396	1240	df49ccf5c15760b4162ee2e7bc3bf1cc.exe	WerFault.exe
PID 1240 wrote to memory of 396	1240	df49ccf5c15760b4162ee2e7bc3bf1cc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\df49ccf5c15760b4162ee2e7bc3bf1cc.exe
"C:\Users\Admin\AppData\Local\Temp\df49ccf5c15760b4162ee2e7bc3bf1cc.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 516
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-6-0x0000000000000000-mapping.dmp

Download
memory/396-7-0x00000000020F0000-0x0000000002101000-memory.dmp

Filesize
68KB

Download
memory/396-8-0x00000000020F0000-0x0000000002101000-memory.dmp

Filesize
68KB

Download
memory/396-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1240-2-0x0000000000A70000-0x0000000000A81000-memory.dmp

Filesize
68KB

Download
memory/1240-3-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1240-4-0x00000000008F0000-0x0000000000981000-memory.dmp

Filesize
580KB

Download
memory/1240-5-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing