raccoon | 0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051

General

Target

0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
Size

1.2MB
MD5

4bb6c620715fe25e76d4cca1e68bef89
SHA1

0cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80
SHA256

0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051
SHA512

59203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549

Score

10^/10

raccoon efc20640b4b1564934471e6297b87d8657db774a stealer

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

efc20640b4b1564934471e6297b87d8657db774a

Attributes

url4cnc
http://91.219.236.162/jredmankun
http://185.163.47.176/jredmankun
http://193.38.54.238/jredmankun
http://74.119.192.122/jredmankun
http://91.219.236.240/jredmankun
https://t.me/jredmankun

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe

description	pid	process	target process
PID 1664 set thread context of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

484 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 484 powershell.exe

pid	process
484	powershell.exe

description	pid	process
Token: SeDebugPrivilege	484	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe

description	pid	process	target process
PID 1664 wrote to memory of 484	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	powershell.exe
PID 1664 wrote to memory of 484	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	powershell.exe
PID 1664 wrote to memory of 484	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	powershell.exe
PID 1664 wrote to memory of 484	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	powershell.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 1664 wrote to memory of 1632	1664	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe

C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
"C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
"C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe"
2⤵
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-58-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/484-69-0x0000000001CE2000-0x0000000001CE4000-memory.dmp

Filesize
8KB

Download
memory/484-68-0x0000000001CE1000-0x0000000001CE2000-memory.dmp

Filesize
4KB

Download
memory/484-67-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/1632-63-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1632-59-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1632-60-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1632-61-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1632-62-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1632-64-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1632-66-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1664-54-0x0000000000270000-0x00000000003A4000-memory.dmp

Filesize
1.2MB

Download
memory/1664-57-0x00000000053D0000-0x00000000054B8000-memory.dmp

Filesize
928KB

Download
memory/1664-56-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1664-55-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing