Overview

overview

10

Static

static

840a9628f0...be.exe

windows7_x64

10

840a9628f0...be.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    15-11-2021 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    840a9628f0b877320c144b9968a036be.exe

  • Size

    1.2MB

  • MD5

    840a9628f0b877320c144b9968a036be

  • SHA1

    ccbd1a391b1960eb818043e6d2e0b67601180dee

  • SHA256

    1a14097ff774fe463491a6c444a4bf3f7419433ebfc86b511757f2f336e44b3b

  • SHA512

    a62b5d6024b57f1b021b2e2873e56b1bf35d682110cc8ff04c2be944c0926084e13f4de6ab6f4f99a30d13f6c4cb2a433960df123159b2aae3782e074dbca27d

Score
10/10
raccoon65d90e36e3587fb188a3d819652094e85ff22e28persistencestealer

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

65d90e36e3587fb188a3d819652094e85ff22e28

Attributes
  • url4cnc

    http://178.23.190.57/redhe1r2

    http://91.219.236.162/redhe1r2

    http://185.163.47.176/redhe1r2

    http://193.38.54.238/redhe1r2

    http://74.119.192.122/redhe1r2

    http://91.219.236.240/redhe1r2

    https://t.me/redhe1r2

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\840a9628f0b877320c144b9968a036be.exe
    "C:\Users\Admin\AppData\Local\Temp\840a9628f0b877320c144b9968a036be.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\SysWOW64\makecab.exe
      makecab
      2⤵
        PID:3240
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Scegliendo.pps
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4352
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^HqqpGiftuqDiPimRPgWJVfnlGPtccJKuuAnCyDsUZiklFrajRramWifsCPDQeUJvfbqgJWLjWwKOrhFCbSEsslpZluqfZBS$" Confusione.pps
            4⤵
              PID:2212
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puo.exe.com
              Puo.exe.com C
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:4556
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puo.exe.com
                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puo.exe.com C
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3304
                • C:\Windows\SysWOW64\nslookup.exe
                  C:\Windows\SysWOW64\nslookup.exe
                  6⤵
                    PID:1532
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 172
                      7⤵
                      • Suspicious use of NtCreateProcessExOtherParentProcess
                      • Program crash
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2560
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:4484

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1532-129-0x0000000000670000-0x0000000000701000-memory.dmp

          Filesize

          580KB

          Download