Overview

overview

10

Static

static

7052ad910e...9b.exe

windows7_x64

10

7052ad910e...9b.exe

windows10_x64

10

Analysis

  • max time kernel
    15s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    08-05-2021 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe

  • Size

    542KB

  • MD5

    23fed1c9856f4e0565d76ba346197dbc

  • SHA1

    ba795084b2b4b46b9f66fddc1fd908cc87fd852b

  • SHA256

    7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b737a2c0b8b1d7d04d5c

  • SHA512

    ff807b61069827af82fa727bd52835ad4f84139c6ed4900e6043711f5f2ad85cac54696618781da93e835c04a2c4377ed65e934b5cfdc6588129bf177564b7aa

Score
10/10
raccoona3a85b69314053c3bb015532d1a960a3d08baeb8stealer

Malware Config

Extracted

Family

raccoon

Botnet

a3a85b69314053c3bb015532d1a960a3d08baeb8

Attributes
  • url4cnc

    https://telete.in/baudemars

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe
    "C:\Users\Admin\AppData\Local\Temp\7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe"
    1⤵
      PID:784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 736
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3392
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 820
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 896
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1848
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 924
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 920
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1484

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/784-114-0x0000000000980000-0x0000000000ACA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/784-115-0x0000000000400000-0x0000000000882000-memory.dmp
      Filesize

      4.5MB

      Download