raccoon | 56f1c287ea437e4642a04cfb0f44f2dcc74a0eeb3204aba76fd0c64f31b0dffd | Triage

Analysis

max time kernel
88s
max time network
161s
platform
windows10_x64
resource
win10v20210408
submitted
11-08-2021 20:45

Sharing

Report Analysis Logs

General

Target

41FA35AD45D4442404F2F970EE3578B8.exe
Size

6.6MB
MD5

41fa35ad45d4442404f2f970ee3578b8
SHA1

61577d5ff6b0c870d51fbb3463ce920b2cd191a7
SHA256

56f1c287ea437e4642a04cfb0f44f2dcc74a0eeb3204aba76fd0c64f31b0dffd
SHA512

778972963c3aa9119877e7ab885b14eb2eadbe9bf3bba28365fee48e4bb4ba351680a980cb2c34ceafaa2258ccd86c28ee1532667cf3aec138c647eab8819096

Score

10^/10

raccoon bb8d3701ca5d8e031967c87b862623b34997b3d1 stealer

Malware Config

Extracted

Family

raccoon

Botnet

bb8d3701ca5d8e031967c87b862623b34997b3d1

Attributes

url4cnc
https://telete.in/jdiamond13

rc4.plain

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3128-114-0x0000000002BF0000-0x0000000002C81000-memory.dmp	family_raccoon
behavioral2/memory/3128-115-0x0000000000400000-0x0000000000E7B000-memory.dmp	family_raccoon

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2352 created 3128 2352 WerFault.exe 41FA35AD45D4442404F2F970EE3578B8.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2352 3128 WerFault.exe 41FA35AD45D4442404F2F970EE3578B8.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2352 WerFault.exe
Token: SeBackupPrivilege 2352 WerFault.exe
Token: SeDebugPrivilege 2352 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\41FA35AD45D4442404F2F970EE3578B8.exe
"C:\Users\Admin\AppData\Local\Temp\41FA35AD45D4442404F2F970EE3578B8.exe"
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1184
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3128-114-0x0000000002BF0000-0x0000000002C81000-memory.dmp

Filesize
580KB

Download
memory/3128-115-0x0000000000400000-0x0000000000E7B000-memory.dmp

Filesize
10.5MB

Download