Overview

overview

10

Static

static

65ecbb1c38...98.exe

windows7_x64

10

65ecbb1c38...98.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    07-11-2021 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65ecbb1c38b4ac891d8a90870e115398.exe

  • Size

    591KB

  • MD5

    65ecbb1c38b4ac891d8a90870e115398

  • SHA1

    78e3f1782d238b6375224a3ce7793b1cb08a95d4

  • SHA256

    58c1b22873a1eab4f8a7cc5a26085a2968637eaa3f22e7cbe8032ad6f25bbd38

  • SHA512

    a95b0ccaecdf007c4590efde4e56ec4e65b8d900e2070726393b912f4ef37b3761a641e7c85dfe8a9698f1bf9864afc8613d956e14414d5a0c78c00aa17a7dd9

Score
10/10
raccoona741159db87f9df2b687764994c63c4c859ea476stealer

Malware Config

Extracted

Family

raccoon

Version

1.8.3

Botnet

a741159db87f9df2b687764994c63c4c859ea476

Attributes
  • url4cnc

    http://178.23.190.57/hiioBlacklight1

    http://91.219.236.162/hiioBlacklight1

    http://185.163.47.176/hiioBlacklight1

    http://193.38.54.238/hiioBlacklight1

    http://74.119.192.122/hiioBlacklight1

    http://91.219.236.240/hiioBlacklight1

    https://t.me/hiioBlacklight1

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65ecbb1c38b4ac891d8a90870e115398.exe
    "C:\Users\Admin\AppData\Local\Temp\65ecbb1c38b4ac891d8a90870e115398.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 420
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/992-58-0x0000000000000000-mapping.dmp
    Download
  • memory/992-60-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1880-55-0x0000000000A7D000-0x0000000000ACC000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1880-56-0x0000000075D41000-0x0000000075D43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1880-57-0x0000000000220000-0x00000000002AF000-memory.dmp
    Filesize

    572KB

    Download
  • memory/1880-59-0x0000000000400000-0x0000000000937000-memory.dmp
    Filesize

    5.2MB

    Download