raccoon | 13333d8111107cce84e50c0264e4b3ffa7af34802de26de7d229ca86782db674

General

Target

13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe
Size

396KB
MD5

01f848f1bea5fee38c9b3ace82d48517
SHA1

bd35c42b99d9c5e4e136505030f3d8f62f33d04f
SHA256

13333d8111107cce84e50c0264e4b3ffa7af34802de26de7d229ca86782db674
SHA512

e86e4f88f5ba7d1dcfad9f04b937dbc4c858b4bfdf51f94fe89f4e37d210b23aec40624a5b7c42f9d66d096dc174dcb6d30bae54d06cfe603ff6a837d707786f

Score

10^/10

raccoon 16992cd33145ccbb6feeacb4e84400a56448fa14 stealer

Malware Config

Extracted

Family

raccoon

Botnet

16992cd33145ccbb6feeacb4e84400a56448fa14

Attributes

url4cnc
https://telete.in/baudemars

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1824 2016 WerFault.exe 13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe

pid	pid_target	process	target process
1824	2016	WerFault.exe	13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1824 WerFault.exe
1824 WerFault.exe
1824 WerFault.exe
1824 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1824 WerFault.exe

pid	process
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1824	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe

description	pid	process	target process
PID 2016 wrote to memory of 1824	2016	13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe	WerFault.exe
PID 2016 wrote to memory of 1824	2016	13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe	WerFault.exe
PID 2016 wrote to memory of 1824	2016	13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe	WerFault.exe
PID 2016 wrote to memory of 1824	2016	13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe
"C:\Users\Admin\AppData\Local\Temp\13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 520
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-62-0x0000000000000000-mapping.dmp

Download
memory/1824-63-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2016-59-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/2016-60-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2016-61-0x0000000000400000-0x0000000002BD3000-memory.dmp

Filesize
39.8MB

Download

Analysis

Sharing