raccoon | ec727ae162ab240cc61660b11b1063b148fde2209b1ae62b18ff0f3283696fc1 | Triage

Analysis

max time kernel
118s
max time network
117s
platform
windows10_x64
resource
win10v20210408
submitted
15-04-2021 15:00

Sharing

Report Analysis Logs

General

Target

76b9b31c27624c0351e3c48dadc4151d.exe
Size

525KB
MD5

76b9b31c27624c0351e3c48dadc4151d
SHA1

9f60021db4d96cddba929ee51d3906e05146bd85
SHA256

ec727ae162ab240cc61660b11b1063b148fde2209b1ae62b18ff0f3283696fc1
SHA512

b0f0be1b11723b43ca9ffbae662fd53c01fda1d8dec10169adbd837cfb0a876c32717412f3ac0d665c5bd698bb4ee754a4ec14d99b6685980cb5f6558f2ec577

Score

10^/10

raccoon 5442f281fb8a4ac6d19427ed61032791e65b8e1b stealer

Malware Config

Extracted

Family

raccoon

Botnet

5442f281fb8a4ac6d19427ed61032791e65b8e1b

Attributes

url4cnc
https://telete.in/jdiamond13

rc4.plain

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3680 created 636 3680 WerFault.exe 76b9b31c27624c0351e3c48dadc4151d.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3680 636 WerFault.exe 76b9b31c27624c0351e3c48dadc4151d.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3680 WerFault.exe
Token: SeBackupPrivilege 3680 WerFault.exe
Token: SeDebugPrivilege 3680 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\76b9b31c27624c0351e3c48dadc4151d.exe
"C:\Users\Admin\AppData\Local\Temp\76b9b31c27624c0351e3c48dadc4151d.exe"
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1172
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-114-0x00000000024B0000-0x0000000002541000-memory.dmp

Filesize
580KB

Download
memory/636-115-0x0000000000400000-0x000000000087C000-memory.dmp

Filesize
4.5MB

Download