raccoon | 648d4377805a064953a5f314f4038071a4d50fe85088e75c59136aa2a3d8c864 | Triage

Analysis

max time kernel
110s
max time network
126s
platform
windows10_x64
resource
win10-en-20211104
submitted
09-11-2021 10:17

Sharing

Report Analysis Logs

General

Target

0d049647c9597b5b0da270664071e355.exe
Size

502KB
MD5

0d049647c9597b5b0da270664071e355
SHA1

2d77bda64ccc1b6839af0d377fcc62e332ed61df
SHA256

648d4377805a064953a5f314f4038071a4d50fe85088e75c59136aa2a3d8c864
SHA512

16f1ef576a3f9137c6c40b678ef6d7a82540717ffdbac342a9d90b9847ebfa305e0ff2ee7a375ceaee1225e661ac62319e4e34bc3d08452af7ebca65e947eaf3

Score

10^/10

raccoon fcdc156d3872c18d25e3ee45499599b45e492a67 stealer

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fcdc156d3872c18d25e3ee45499599b45e492a67

Attributes

url4cnc
http://178.23.190.57/rino115sipsip
http://91.219.236.162/rino115sipsip
http://185.163.47.176/rino115sipsip
http://193.38.54.238/rino115sipsip
http://74.119.192.122/rino115sipsip
http://91.219.236.240/rino115sipsip
https://t.me/rino115sipsip

rc4.plain

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2232 created 2536 2232 WerFault.exe 0d049647c9597b5b0da270664071e355.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2232 2536 WerFault.exe 0d049647c9597b5b0da270664071e355.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2232 WerFault.exe
Token: SeBackupPrivilege 2232 WerFault.exe
Token: SeDebugPrivilege 2232 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0d049647c9597b5b0da270664071e355.exe
"C:\Users\Admin\AppData\Local\Temp\0d049647c9597b5b0da270664071e355.exe"
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 960
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-119-0x0000000002690000-0x000000000271F000-memory.dmp

Filesize
572KB

Download
memory/2536-120-0x0000000000400000-0x0000000000921000-memory.dmp

Filesize
5.1MB

Download