raccoon | 4b88caf98ce096cc16a0de0921c17f994215915b47e79bc3f5cad4c9642102cf | Triage

Analysis

max time kernel
136s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
18-04-2021 14:02

Sharing

Report Analysis Logs

General

Target

880dfcc2cd155e490aa61bce02ab4500.exe
Size

523KB
MD5

880dfcc2cd155e490aa61bce02ab4500
SHA1

71b77ae9b2c9471a09fc139e36ae8a91b68f54b4
SHA256

4b88caf98ce096cc16a0de0921c17f994215915b47e79bc3f5cad4c9642102cf
SHA512

92858ec16a7bae0ae5e3d28cf5e55d99b4ccdb560364e0a98f2c8eafa4aa6cd9c9a4e9f2cb4a924b8f8220812dddf136e89b6eb61d81059d5105d722b6f68fc5

Score

10^/10

raccoon fe080c9bfcbe54ed632d9562ae158e815dbdc717 stealer

Malware Config

Extracted

Family

raccoon

Botnet

fe080c9bfcbe54ed632d9562ae158e815dbdc717

Attributes

url4cnc
https://telete.in/jdiamond13

rc4.plain

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1984 created 852 1984 WerFault.exe 880dfcc2cd155e490aa61bce02ab4500.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1984 852 WerFault.exe 880dfcc2cd155e490aa61bce02ab4500.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1984 WerFault.exe
Token: SeBackupPrivilege 1984 WerFault.exe
Token: SeDebugPrivilege 1984 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\880dfcc2cd155e490aa61bce02ab4500.exe
"C:\Users\Admin\AppData\Local\Temp\880dfcc2cd155e490aa61bce02ab4500.exe"
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1196
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-114-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/852-115-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download