raccoon | 51785594b835ee188972c80f514ce698ed1262e0628c66df1d9e1ae23d484476 | Triage

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-en-20211014
submitted
04-11-2021 17:22

Sharing

Report Analysis Logs

General

Target

bbd9760541fb80a439fe1447ff6cdf58.exe
Size

422KB
MD5

bbd9760541fb80a439fe1447ff6cdf58
SHA1

e40fb8967ab3ecf50d1cf4b52c0124c81b7d86f6
SHA256

51785594b835ee188972c80f514ce698ed1262e0628c66df1d9e1ae23d484476
SHA512

32ee7bba722eb1cf5b359c8732cc23bd939b146f13d44e2e46505edec5712eeb7e842587911207db302d61ac7b4531735ec39f6d0cb484afda64e24863d84714

Score

10^/10

raccoon b3ed1d79826001317754d88a62db05820a1ecd19 stealer

Malware Config

Extracted

Family

raccoon

Botnet

b3ed1d79826001317754d88a62db05820a1ecd19

Attributes

url4cnc
http://teleliver.top/agrybirdsgamerept

http://livetelive.top/agrybirdsgamerept

http://teleger.top/agrybirdsgamerept

http://telestrong.top/agrybirdsgamerept

http://tgrampro.top/agrybirdsgamerept

http://teleghost.top/agrybirdsgamerept

http://teleroom.top/agrybirdsgamerept

http://telemir.top/agrybirdsgamerept

http://teletelo.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of SetThreadContext 1 IoCs

Processes:

bbd9760541fb80a439fe1447ff6cdf58.exe

description pid process target process

PID 760 set thread context of 1060 760 bbd9760541fb80a439fe1447ff6cdf58.exe bbd9760541fb80a439fe1447ff6cdf58.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

bbd9760541fb80a439fe1447ff6cdf58.exe

description	pid	process	target process
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe
PID 760 wrote to memory of 1060	760	bbd9760541fb80a439fe1447ff6cdf58.exe	bbd9760541fb80a439fe1447ff6cdf58.exe

C:\Users\Admin\AppData\Local\Temp\bbd9760541fb80a439fe1447ff6cdf58.exe
"C:\Users\Admin\AppData\Local\Temp\bbd9760541fb80a439fe1447ff6cdf58.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\bbd9760541fb80a439fe1447ff6cdf58.exe
"C:\Users\Admin\AppData\Local\Temp\bbd9760541fb80a439fe1447ff6cdf58.exe"
2⤵
PID:1060

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-57-0x0000000000220000-0x000000000026E000-memory.dmp

Filesize
312KB

Download
memory/760-58-0x0000000000340000-0x00000000003CE000-memory.dmp

Filesize
568KB

Download
memory/1060-55-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1060-56-0x000000000043E9BE-mapping.dmp

Download