raccoon | 26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c

General

Target

26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
Size

418KB
MD5

d2b4bce01df5f735c3e813dc8b5eed17
SHA1

78c316416f1a56078e5cd7fa862eec303d239bda
SHA256

26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c
SHA512

69b5b0d936e374563d196147593ffbdae2f1bce27d74fab9474fb081bb5208d6ee95ca6410de3082f5293c36e961489efd4cad45cd1c74bea9fef8dfeac566b8

Score

10^/10

raccoon b3ed1d79826001317754d88a62db05820a1ecd19 stealer

Malware Config

Extracted

Family

raccoon

Botnet

b3ed1d79826001317754d88a62db05820a1ecd19

Attributes

url4cnc
http://teleliver.top/agrybirdsgamerept

http://livetelive.top/agrybirdsgamerept

http://teleger.top/agrybirdsgamerept

http://telestrong.top/agrybirdsgamerept

http://tgrampro.top/agrybirdsgamerept

http://teleghost.top/agrybirdsgamerept

http://teleroom.top/agrybirdsgamerept

http://telemir.top/agrybirdsgamerept

http://teletelo.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe

description	pid	process	target process
PID 3464 set thread context of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1576 988 WerFault.exe 26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe

pid	pid_target	process	target process
1576	988	WerFault.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1576 WerFault.exe
Token: SeBackupPrivilege 1576 WerFault.exe
Token: SeDebugPrivilege 1576 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1576	WerFault.exe
Token: SeBackupPrivilege	1576	WerFault.exe
Token: SeDebugPrivilege	1576	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe

description	pid	process	target process
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
PID 3464 wrote to memory of 988	3464	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe	26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe

C:\Users\Admin\AppData\Local\Temp\26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
"C:\Users\Admin\AppData\Local\Temp\26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe
"C:\Users\Admin\AppData\Local\Temp\26571901dd3d00cab655189578adb869bd030c75e30ba7256ccbcaa59cc7f63c.exe"
2⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 184
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-115-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/988-116-0x000000000043E9BE-mapping.dmp

Download
memory/3464-117-0x00000000005D0000-0x000000000071A000-memory.dmp

Filesize
1.3MB

Download
memory/3464-118-0x0000000002210000-0x000000000229E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads