Overview

overview

10

Static

static

840a9628f0...be.exe

windows7_x64

10

840a9628f0...be.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    15-11-2021 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    840a9628f0b877320c144b9968a036be.exe

  • Size

    1.2MB

  • MD5

    840a9628f0b877320c144b9968a036be

  • SHA1

    ccbd1a391b1960eb818043e6d2e0b67601180dee

  • SHA256

    1a14097ff774fe463491a6c444a4bf3f7419433ebfc86b511757f2f336e44b3b

  • SHA512

    a62b5d6024b57f1b021b2e2873e56b1bf35d682110cc8ff04c2be944c0926084e13f4de6ab6f4f99a30d13f6c4cb2a433960df123159b2aae3782e074dbca27d

Score
10/10
raccoon65d90e36e3587fb188a3d819652094e85ff22e28persistencestealer

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

65d90e36e3587fb188a3d819652094e85ff22e28

Attributes
  • url4cnc

    http://178.23.190.57/redhe1r2

    http://91.219.236.162/redhe1r2

    http://185.163.47.176/redhe1r2

    http://193.38.54.238/redhe1r2

    http://74.119.192.122/redhe1r2

    http://91.219.236.240/redhe1r2

    https://t.me/redhe1r2

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\840a9628f0b877320c144b9968a036be.exe
    "C:\Users\Admin\AppData\Local\Temp\840a9628f0b877320c144b9968a036be.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\makecab.exe
      makecab
      2⤵
        PID:460
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Scegliendo.pps
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:284
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^HqqpGiftuqDiPimRPgWJVfnlGPtccJKuuAnCyDsUZiklFrajRramWifsCPDQeUJvfbqgJWLjWwKOrhFCbSEsslpZluqfZBS$" Confusione.pps
            4⤵
              PID:1796
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puo.exe.com
              Puo.exe.com C
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1132
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puo.exe.com
                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puo.exe.com C
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:1628
                • C:\Windows\SysWOW64\nslookup.exe
                  C:\Windows\SysWOW64\nslookup.exe
                  6⤵
                    PID:1924
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:1800

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1132-66-0x0000000075491000-0x0000000075493000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1924-73-0x00000000000C0000-0x0000000000151000-memory.dmp

          Filesize

          580KB

          Download

        • memory/1924-74-0x00000000000C0000-0x0000000000151000-memory.dmp

          Filesize

          580KB

          Download

        • memory/1924-77-0x00000000000C0000-0x0000000000151000-memory.dmp

          Filesize

          580KB

          Download