raccoon | c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8

General

Target

c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
Size

512KB
MD5

de53e8d73fe96e1ceab93e3aee4751ec
SHA1

98e010e66213ba828ead9debe86263bca9407509
SHA256

c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8
SHA512

e2e692971b0fb5b1244b08e952045f6b342f968a2f5ba8f3d28b3e4cd0bf34af89c63a1923ca16991c43e6376cbab113b3c43d194dc8639ce8d04881bfdc95c5

Score

10^/10

raccoon fd16367b73441d6f39c715f71a74a399a84f0b41 collection discovery spyware stealer suricata

Malware Config

Extracted

Family

raccoon

Version

1.8.2

Botnet

fd16367b73441d6f39c715f71a74a399a84f0b41

Attributes

url4cnc
http://teletop.top/terra11nc

http://teleta.top/terra11nc

https://t.me/terra11nc

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata
Downloads MZ/PE file

Loads dropped DLL 5 IoCs

pid	Process
3492	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
3492	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
3492	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
3492	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
3492	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe

Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1920	timeout.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 968	3492	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe	68
PID 3492 wrote to memory of 968	3492	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe	68
PID 3492 wrote to memory of 968	3492	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe	68
PID 968 wrote to memory of 1920	968	cmd.exe	70
PID 968 wrote to memory of 1920	968	cmd.exe	70
PID 968 wrote to memory of 1920	968	cmd.exe	70

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe

C:\Users\Admin\AppData\Local\Temp\c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe
"C:\Users\Admin\AppData\Local\Temp\c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe"
1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\c8457e14bf16d40d5e7f36f81982957ffa6cd2fe17a7c1a37333a133effc41a8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3492-114-0x0000000000B00000-0x0000000000B8E000-memory.dmp

Filesize
568KB

Download
memory/3492-115-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads