raccoon | 5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0

General

Target

5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe
Size

422KB
MD5

c58ab85e86005430cf8b4eb02d203271
SHA1

2a8c22a93cfaa5b52d70ccba5a86107dd7955673
SHA256

5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0
SHA512

f6d0d607707b7b3b3b390053c16e60627f5f58329d060caa35513fe2af466a25124d3b89a3eb7d59cacecd1a86071788e9a6a1ccd9115a3f516c7327dab6f5ce

Score

10^/10

raccoon a2337059abb40b184e621b38e62ace3e1a158d50 stealer

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

a2337059abb40b184e621b38e62ace3e1a158d50

Attributes

url4cnc
http://94.158.245.137/papatikmikr03
http://91.219.236.27/papatikmikr03
http://94.158.245.167/papatikmikr03
http://185.163.204.216/papatikmikr03
http://185.225.19.238/papatikmikr03
http://185.163.204.218/papatikmikr03
https://t.me/papatikmikr03

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

4393494146.exe

pid process

3200 4393494146.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

484 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 484 taskkill.exe

pid	process
3200	4393494146.exe

pid	process
484	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	484	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.execmd.execmd.exe

description	pid	process	target process
PID 3980 wrote to memory of 700	3980	5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe	cmd.exe
PID 3980 wrote to memory of 700	3980	5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe	cmd.exe
PID 3980 wrote to memory of 700	3980	5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe	cmd.exe
PID 700 wrote to memory of 3200	700	cmd.exe	4393494146.exe
PID 700 wrote to memory of 3200	700	cmd.exe	4393494146.exe
PID 700 wrote to memory of 3200	700	cmd.exe	4393494146.exe
PID 3980 wrote to memory of 3988	3980	5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe	cmd.exe
PID 3980 wrote to memory of 3988	3980	5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe	cmd.exe
PID 3980 wrote to memory of 3988	3980	5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe	cmd.exe
PID 3988 wrote to memory of 484	3988	cmd.exe	taskkill.exe
PID 3988 wrote to memory of 484	3988	cmd.exe	taskkill.exe
PID 3988 wrote to memory of 484	3988	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe
"C:\Users\Admin\AppData\Local\Temp\5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4393494146.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\4393494146.exe
"C:\Users\Admin\AppData\Local\Temp\4393494146.exe"
3⤵
- Executes dropped EXE
PID:3200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4393494146.exe
MD5
8dd39ca099bb5850e99ac9dd1c0a8679

SHA1
c12ce82e5ddea4f5299b5f0de925c7e7e09faa88

SHA256
245df6eba42f4085247e9155c66b3e607f724f648da9ec5a673a75a500318e34

SHA512
44b5703d00fc84ab2b25f3b58fed233033851c1eb4e642e5fd6e861e68a3122197ed64c3eed6b6c54810f3e2d5f954e83f4c86d509bc97cad98b35ed11235401

Download Submit
C:\Users\Admin\AppData\Local\Temp\4393494146.exe
MD5
8dd39ca099bb5850e99ac9dd1c0a8679

SHA1
c12ce82e5ddea4f5299b5f0de925c7e7e09faa88

SHA256
245df6eba42f4085247e9155c66b3e607f724f648da9ec5a673a75a500318e34

SHA512
44b5703d00fc84ab2b25f3b58fed233033851c1eb4e642e5fd6e861e68a3122197ed64c3eed6b6c54810f3e2d5f954e83f4c86d509bc97cad98b35ed11235401

Download Submit
memory/484-129-0x0000000000000000-mapping.dmp

Download
memory/700-121-0x0000000000000000-mapping.dmp

Download
memory/3200-122-0x0000000000000000-mapping.dmp

Download
memory/3200-125-0x00000000005A9000-0x00000000005F8000-memory.dmp

Filesize
316KB

Download
memory/3200-127-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3200-126-0x0000000001FB0000-0x000000000203F000-memory.dmp

Filesize
572KB

Download
memory/3980-118-0x0000000000631000-0x000000000065B000-memory.dmp

Filesize
168KB

Download
memory/3980-120-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3980-119-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/3988-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing