raccoon | bafa6f042552c18bf66ad5aa9243cdea3e09e050bbefa354b67802866eb8d19f

General

Target

Sirus.exe
Size

1.7MB
MD5

d3752c9e4466ffa7dcf4b5a065e9c274
SHA1

997d4d61d1691862f8aab10b94c9d654f2a65e3e
SHA256

f6598f853f981a4bcb58922d3584833086de09b9a7a6f368ca56cda7677f8126
SHA512

de0a9708836266b2ac06077ace01bc0d8cac53d94efcdf14e337f0bd29b7f985cf03465a5c6d7df1a8e2065a69bcb33f7f3aa0845a26be67e6a66852ef1a9f23

Score

10^/10

raccoon 1a329a10c40d1d7de968ac01620072546be15062 discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

1a329a10c40d1d7de968ac01620072546be15062

Attributes

url4cnc
https://tttttt.me/jrrand0mer

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

AcuOiVHVN7.exe

pid process

2128 AcuOiVHVN7.exe
Loads dropped DLL 1 IoCs

Processes:

Sirus.exe

pid process

1984 Sirus.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sirus.exe

description pid process target process

PID 856 set thread context of 1984 856 Sirus.exe Sirus.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Sirus.exe

pid process

856 Sirus.exe
856 Sirus.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Sirus.exe

description pid process

Token: SeDebugPrivilege 856 Sirus.exe

pid	process
2128	AcuOiVHVN7.exe

pid	process
1984	Sirus.exe

description	pid	process	target process
PID 856 set thread context of 1984	856	Sirus.exe	Sirus.exe

pid	process
856	Sirus.exe
856	Sirus.exe

description	pid	process
Token: SeDebugPrivilege	856	Sirus.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Sirus.exeSirus.exe

description	pid	process	target process
PID 856 wrote to memory of 2172	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 2172	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 2172	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 856 wrote to memory of 1984	856	Sirus.exe	Sirus.exe
PID 1984 wrote to memory of 2128	1984	Sirus.exe	AcuOiVHVN7.exe
PID 1984 wrote to memory of 2128	1984	Sirus.exe	AcuOiVHVN7.exe
PID 1984 wrote to memory of 2128	1984	Sirus.exe	AcuOiVHVN7.exe

C:\Users\Admin\AppData\Local\Temp\Sirus.exe
"C:\Users\Admin\AppData\Local\Temp\Sirus.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\Sirus.exe
"{path}"
2⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\Sirus.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\AcuOiVHVN7.exe
"C:\Users\Admin\AppData\Local\Temp\AcuOiVHVN7.exe"
3⤵
- Executes dropped EXE
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AcuOiVHVN7.exe
MD5
6ae21549fb8869f8da1acec258c48e0b

SHA1
aed533b121fbbb481e598bc3e73cb90556db55f3

SHA256
80fff049a91ba68ca61e228c88dd80d16e416ab54fd66c87c5c5ea2e85d44b58

SHA512
abd624fb7181436abe539166e4030a6982f3c572bb341105fb237787e7485c5a9e7a289e58b9e2346f37eeeadcb4f82fb816d2aa3a5b4a97082238279d198136

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcuOiVHVN7.exe
MD5
6ae21549fb8869f8da1acec258c48e0b

SHA1
aed533b121fbbb481e598bc3e73cb90556db55f3

SHA256
80fff049a91ba68ca61e228c88dd80d16e416ab54fd66c87c5c5ea2e85d44b58

SHA512
abd624fb7181436abe539166e4030a6982f3c572bb341105fb237787e7485c5a9e7a289e58b9e2346f37eeeadcb4f82fb816d2aa3a5b4a97082238279d198136

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/856-119-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/856-118-0x00000000058A0000-0x0000000005D9E000-memory.dmp

Filesize
5.0MB

Download
memory/856-120-0x0000000008ED0000-0x0000000008ED1000-memory.dmp

Filesize
4KB

Download
memory/856-121-0x0000000005B80000-0x0000000005B85000-memory.dmp

Filesize
20KB

Download
memory/856-122-0x0000000009230000-0x00000000092E0000-memory.dmp

Filesize
704KB

Download
memory/856-123-0x000000000B8E0000-0x000000000B971000-memory.dmp

Filesize
580KB

Download
memory/856-116-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/856-114-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/856-117-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/1984-125-0x000000000043DC5B-mapping.dmp

Download
memory/1984-126-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1984-124-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2128-128-0x0000000000000000-mapping.dmp

Download
memory/2128-131-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2128-138-0x0000000007390000-0x000000000788E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing