raccoon | 65e2e0704a22d1a0f3d5453c2e9ac551a839af68415958ef0c03e44d1a82829d

General

Target

dc14553bed2ff0c430fe14d03b904142.exe
Size

33KB
MD5

dc14553bed2ff0c430fe14d03b904142
SHA1

32ddd246599f8715ac34cc167fa8f210b4e7c7f9
SHA256

65e2e0704a22d1a0f3d5453c2e9ac551a839af68415958ef0c03e44d1a82829d
SHA512

69deb6c3a3a2d5a889e16cfd0a282df279ea0b8f46bd880dff392aefee437842fedce8b1330de81fad4aaa73d0c1e2237f0520a66ca3fe741c714e5715bc8b21

Score

10^/10

raccoon agilenet stealer

Malware Config

Extracted

Family

raccoon

Version

1.8.4-hotfixs

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1592-54-0x0000000000E50000-0x0000000000E5E000-memory.dmp	agile_net
behavioral1/memory/1592-55-0x0000000000E50000-0x0000000000E5E000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

dc14553bed2ff0c430fe14d03b904142.exe

description pid process target process

PID 1592 set thread context of 1824 1592 dc14553bed2ff0c430fe14d03b904142.exe dc14553bed2ff0c430fe14d03b904142.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1868 1824 WerFault.exe dc14553bed2ff0c430fe14d03b904142.exe

description	pid	process	target process
PID 1592 set thread context of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe

pid	pid_target	process	target process
1868	1824	WerFault.exe	dc14553bed2ff0c430fe14d03b904142.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

dc14553bed2ff0c430fe14d03b904142.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	dc14553bed2ff0c430fe14d03b904142.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	dc14553bed2ff0c430fe14d03b904142.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	dc14553bed2ff0c430fe14d03b904142.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

dc14553bed2ff0c430fe14d03b904142.exeWerFault.exe

pid	process
1592	dc14553bed2ff0c430fe14d03b904142.exe
1592	dc14553bed2ff0c430fe14d03b904142.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1868 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dc14553bed2ff0c430fe14d03b904142.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1592 dc14553bed2ff0c430fe14d03b904142.exe
Token: SeDebugPrivilege 1868 WerFault.exe

pid	process
1868	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1592	dc14553bed2ff0c430fe14d03b904142.exe
Token: SeDebugPrivilege	1868	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

dc14553bed2ff0c430fe14d03b904142.exedc14553bed2ff0c430fe14d03b904142.exe

description	pid	process	target process
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1592 wrote to memory of 1824	1592	dc14553bed2ff0c430fe14d03b904142.exe	dc14553bed2ff0c430fe14d03b904142.exe
PID 1824 wrote to memory of 1868	1824	dc14553bed2ff0c430fe14d03b904142.exe	WerFault.exe
PID 1824 wrote to memory of 1868	1824	dc14553bed2ff0c430fe14d03b904142.exe	WerFault.exe
PID 1824 wrote to memory of 1868	1824	dc14553bed2ff0c430fe14d03b904142.exe	WerFault.exe
PID 1824 wrote to memory of 1868	1824	dc14553bed2ff0c430fe14d03b904142.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\dc14553bed2ff0c430fe14d03b904142.exe
"C:\Users\Admin\AppData\Local\Temp\dc14553bed2ff0c430fe14d03b904142.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\dc14553bed2ff0c430fe14d03b904142.exe
C:\Users\Admin\AppData\Local\Temp\dc14553bed2ff0c430fe14d03b904142.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 408
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1592-54-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/1592-55-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/1592-56-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1592-57-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1592-58-0x00000000051D0000-0x0000000005288000-memory.dmp

Filesize
736KB

Download
memory/1592-59-0x0000000004D80000-0x0000000004DCC000-memory.dmp

Filesize
304KB

Download
memory/1824-64-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1824-61-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1824-60-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1824-63-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1824-62-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1824-65-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1824-66-0x0000000000440309-mapping.dmp

Download
memory/1824-69-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1868-68-0x0000000000000000-mapping.dmp

Download
memory/1868-70-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads