Overview

overview

10

Static

static

100f06c3c5...bb.exe

windows7_x64

10

100f06c3c5...bb.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    14-11-2021 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    100f06c3c5a50552ecfde1fbf3e9b4bb.exe

  • Size

    500KB

  • MD5

    100f06c3c5a50552ecfde1fbf3e9b4bb

  • SHA1

    1749c9ac51e7d76c5138c7a8a4de13ce16e7423a

  • SHA256

    879b3d8f4e4f90f19da28a6ff8b46fac43c972a2b4b268a708966650b9148b7f

  • SHA512

    474dd5169b516f0dba5d15d6ab75ef2b1e45dec18b7958a020cbe4a98499f6d9e13879ffa37777cad11a0b4fa84dd960a4b452fe4b475a8967768e1b28bda32a

Score
10/10
raccoon675718a5f2ce6d3cacf6cb04a512f5637eae995fstealer

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

675718a5f2ce6d3cacf6cb04a512f5637eae995f

Attributes
  • url4cnc

    http://91.219.236.27/agrybirdsgamerept

    http://5.181.156.92/agrybirdsgamerept

    http://91.219.236.207/agrybirdsgamerept

    http://185.225.19.18/agrybirdsgamerept

    http://91.219.237.227/agrybirdsgamerept

    http://185.163.47.176/agrybirdsgamerept

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\100f06c3c5a50552ecfde1fbf3e9b4bb.exe
    "C:\Users\Admin\AppData\Local\Temp\100f06c3c5a50552ecfde1fbf3e9b4bb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 404
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/292-58-0x0000000000000000-mapping.dmp
    Download
  • memory/292-60-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/432-55-0x00000000762D1000-0x00000000762D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/432-56-0x0000000000220000-0x000000000026F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/432-57-0x00000000004A0000-0x000000000052F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/432-59-0x0000000000400000-0x0000000000491000-memory.dmp
    Filesize

    580KB

    Download