raccoon | b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91

General

Target

b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
Size

418KB
MD5

869df30f8e68075ef71c5fb55d0bd21f
SHA1

d71a9d73f2a2d12ea457d887209d8f846f1a3457
SHA256

b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91
SHA512

8236a65f8a43f5b09150ace10f736984aac02bad26c09ec6dfdd8f0f3a8f7e676186b5658b7ca8ef799e9b233f3af70482d26588caee116f97071ba9b3911081

Score

10^/10

raccoon b3ed1d79826001317754d88a62db05820a1ecd19 stealer

Malware Config

Extracted

Family

raccoon

Botnet

b3ed1d79826001317754d88a62db05820a1ecd19

Attributes

url4cnc
http://teleliver.top/agrybirdsgamerept

http://livetelive.top/agrybirdsgamerept

http://teleger.top/agrybirdsgamerept

http://telestrong.top/agrybirdsgamerept

http://tgrampro.top/agrybirdsgamerept

http://teleghost.top/agrybirdsgamerept

http://teleroom.top/agrybirdsgamerept

http://telemir.top/agrybirdsgamerept

http://teletelo.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe

description	pid	process	target process
PID 3388 set thread context of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1324 2972 WerFault.exe b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe

pid	pid_target	process	target process
1324	2972	WerFault.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1324 WerFault.exe
Token: SeBackupPrivilege 1324 WerFault.exe
Token: SeDebugPrivilege 1324 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1324	WerFault.exe
Token: SeBackupPrivilege	1324	WerFault.exe
Token: SeDebugPrivilege	1324	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe

description	pid	process	target process
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
PID 3388 wrote to memory of 2972	3388	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe	b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe

C:\Users\Admin\AppData\Local\Temp\b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
"C:\Users\Admin\AppData\Local\Temp\b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe
  "C:\Users\Admin\AppData\Local\Temp\b8143106a1a8c782395cbd828bec11b132a4963bad60b213ba15e0e857fe5a91.exe"
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 184
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2972-115-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2972-116-0x000000000043E9BE-mapping.dmp

Download
memory/3388-117-0x00000000021D0000-0x000000000221E000-memory.dmp

Filesize
312KB

Download
memory/3388-118-0x00000000022A0000-0x000000000232E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads