raccoon | e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34

General

Target

e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
Size

418KB
MD5

a9c3d1e84f863f833a33456b7a7b15f1
SHA1

01266e0e793324386b50f938e546a0224f8a7db4
SHA256

e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34
SHA512

3224b583355a39a8f3e3e786073228ec95c4cc69c6b67855223b16d0b8990012e0d3b8ee8b1c85c70de8bb89b6db216d03aa4789c2e60daf5ed04622846d8836

Score

10^/10

raccoon b3ed1d79826001317754d88a62db05820a1ecd19 stealer

Malware Config

Extracted

Family

raccoon

Botnet

b3ed1d79826001317754d88a62db05820a1ecd19

Attributes

url4cnc
http://teleliver.top/agrybirdsgamerept
http://livetelive.top/agrybirdsgamerept
http://teleger.top/agrybirdsgamerept
http://telestrong.top/agrybirdsgamerept
http://tgrampro.top/agrybirdsgamerept
http://teleghost.top/agrybirdsgamerept
http://teleroom.top/agrybirdsgamerept
http://telemir.top/agrybirdsgamerept
http://teletelo.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe

description	pid	process	target process
PID 412 set thread context of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1300 2564 WerFault.exe e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe

pid	pid_target	process	target process
1300	2564	WerFault.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1300 WerFault.exe
Token: SeBackupPrivilege 1300 WerFault.exe
Token: SeDebugPrivilege 1300 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1300	WerFault.exe
Token: SeBackupPrivilege	1300	WerFault.exe
Token: SeDebugPrivilege	1300	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe

description	pid	process	target process
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
PID 412 wrote to memory of 2564	412	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe	e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe

C:\Users\Admin\AppData\Local\Temp\e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
"C:\Users\Admin\AppData\Local\Temp\e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe
"C:\Users\Admin\AppData\Local\Temp\e69cef22b08659aa21819fe5568f546f9c00d8b29850aeb0cab442fb80cc8a34.exe"
2⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 184
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/412-118-0x00000000021E0000-0x000000000222E000-memory.dmp

Filesize
312KB

Download
memory/412-119-0x0000000002230000-0x00000000022BE000-memory.dmp

Filesize
568KB

Download
memory/2564-117-0x000000000043E9BE-mapping.dmp

Download
memory/2564-116-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads