Behavioral Report

General

Target

mixsix_20211029-001408.exe
Size

648KB
MD5

fca8bb3b8d137449cba1fbf406e0d1eb
SHA1

8b2a7d56695e4aea122e37b3a5a371a16cfa5c2d
SHA256

249153197eafedc3426d55f6a12fbe041acb4527bc8c31f007ea1798d30df7b9
SHA512

71c04d60d49ce9ed3314752171b6b9ca102cf80dc113b9af56a2be2b6fd790b83a890b95319ec701444a0b41fb644299d0e5b4a84f86c7cb37411eb95e20eb90

Score

10^/10

raccoon 7c9b4504a63ed23664e38808e65948379b790395 stealer

Malware Config

Extracted

Family

raccoon

Botnet

7c9b4504a63ed23664e38808e65948379b790395

Attributes

url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2812 created 3848 2812 WerFault.exe mixsix_20211029-001408.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mixsix_20211029-001408.exe

description pid process target process

PID 3748 set thread context of 3848 3748 mixsix_20211029-001408.exe mixsix_20211029-001408.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2812 3848 WerFault.exe mixsix_20211029-001408.exe

description	pid	process	target process
PID 2812 created 3848	2812	WerFault.exe	mixsix_20211029-001408.exe

description	pid	process	target process
PID 3748 set thread context of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe

pid	pid_target	process	target process
2812	3848	WerFault.exe	mixsix_20211029-001408.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2812 WerFault.exe
Token: SeBackupPrivilege 2812 WerFault.exe
Token: SeDebugPrivilege 2812 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2812	WerFault.exe
Token: SeBackupPrivilege	2812	WerFault.exe
Token: SeDebugPrivilege	2812	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

mixsix_20211029-001408.exe

description	pid	process	target process
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe
PID 3748 wrote to memory of 3848	3748	mixsix_20211029-001408.exe	mixsix_20211029-001408.exe

C:\Users\Admin\AppData\Local\Temp\mixsix_20211029-001408.exe
"C:\Users\Admin\AppData\Local\Temp\mixsix_20211029-001408.exe"
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\mixsix_20211029-001408.exe
"C:\Users\Admin\AppData\Local\Temp\mixsix_20211029-001408.exe"
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 764
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

00:00 00:00

Downloads

memory/3748-116-0x00000000031F0000-0x0000000003282000-memory.dmp

Filesize
584KB

Download
memory/3748-117-0x0000000000400000-0x0000000002F68000-memory.dmp

Filesize
43MB

Download
memory/3748-115-0x0000000003060000-0x00000000031AA000-memory.dmp

Filesize
1MB

Download
memory/3748-121-0x00000000032D0000-0x0000000003363000-memory.dmp

Filesize
588KB

Download
memory/3848-119-0x0000000000400000-0x0000000002DE8000-memory.dmp

Filesize
41MB

Download
memory/3848-120-0x0000000000457320-mapping.dmp

Download
memory/3848-122-0x00000000030A4000-0x00000000030F3000-memory.dmp

Filesize
316KB

Download
memory/3848-123-0x0000000000400000-0x0000000002DE8000-memory.dmp

Filesize
41MB

Download
memory/3848-125-0x0000000002DF0000-0x0000000002F3A000-memory.dmp

Filesize
1MB

Download
memory/3848-124-0x0000000000400000-0x0000000002DE8000-memory.dmp

Filesize
41MB

Download
memory/3848-126-0x0000000000400000-0x0000000002DE8000-memory.dmp

Filesize
41MB

Download

Analysis

Sharing