raccoon | 0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051

General

Target

0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
Size

1.2MB
MD5

4bb6c620715fe25e76d4cca1e68bef89
SHA1

0cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80
SHA256

0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051
SHA512

59203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549

Score

10^/10

raccoon efc20640b4b1564934471e6297b87d8657db774a stealer suricata

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

efc20640b4b1564934471e6297b87d8657db774a

Attributes

url4cnc
http://91.219.236.162/jredmankun
http://185.163.47.176/jredmankun
http://193.38.54.238/jredmankun
http://74.119.192.122/jredmankun
http://91.219.236.240/jredmankun
https://t.me/jredmankun

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata

Suspicious use of SetThreadContext 1 IoCs

Processes:

0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe

description	pid	process	target process
PID 344 set thread context of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exepowershell.exe

pid	process
344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
4368	powershell.exe
4368	powershell.exe
4368	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exepowershell.exe

description pid process

Token: SeDebugPrivilege 344 0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
Token: SeDebugPrivilege 4368 powershell.exe

description	pid	process
Token: SeDebugPrivilege	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
Token: SeDebugPrivilege	4368	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe

C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
"C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
"C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe"
2⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
"C:\Users\Admin\AppData\Local\Temp\0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe"
2⤵
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-118-0x0000000000090000-0x00000000001C4000-memory.dmp

Filesize
1.2MB

Download
memory/344-119-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/344-120-0x0000000002450000-0x000000000245C000-memory.dmp

Filesize
48KB

Download
memory/344-121-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/344-122-0x00000000050B0000-0x000000000514C000-memory.dmp

Filesize
624KB

Download
memory/344-123-0x0000000005320000-0x0000000005408000-memory.dmp

Filesize
928KB

Download
memory/344-124-0x0000000005900000-0x0000000005DFE000-memory.dmp

Filesize
5.0MB

Download
memory/4368-149-0x0000000008DE0000-0x0000000008DFE000-memory.dmp

Filesize
120KB

Download
memory/4368-138-0x0000000007CE0000-0x0000000007D2B000-memory.dmp

Filesize
300KB

Download
memory/4368-129-0x00000000070E0000-0x0000000007708000-memory.dmp

Filesize
6.2MB

Download
memory/4368-355-0x00000000080B0000-0x00000000080B8000-memory.dmp

Filesize
32KB

Download
memory/4368-131-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/4368-132-0x0000000006AA2000-0x0000000006AA3000-memory.dmp

Filesize
4KB

Download
memory/4368-133-0x0000000006EA0000-0x0000000006EC2000-memory.dmp

Filesize
136KB

Download
memory/4368-134-0x0000000006F40000-0x0000000006FA6000-memory.dmp

Filesize
408KB

Download
memory/4368-135-0x0000000007780000-0x00000000077E6000-memory.dmp

Filesize
408KB

Download
memory/4368-136-0x0000000007910000-0x0000000007C60000-memory.dmp

Filesize
3.3MB

Download
memory/4368-137-0x0000000007040000-0x000000000705C000-memory.dmp

Filesize
112KB

Download
memory/4368-128-0x0000000004470000-0x00000000044A6000-memory.dmp

Filesize
216KB

Download
memory/4368-139-0x0000000008000000-0x0000000008076000-memory.dmp

Filesize
472KB

Download
memory/4368-148-0x0000000009030000-0x0000000009063000-memory.dmp

Filesize
204KB

Download
memory/4368-350-0x00000000080C0000-0x00000000080DA000-memory.dmp

Filesize
104KB

Download
memory/4368-154-0x0000000009160000-0x0000000009205000-memory.dmp

Filesize
660KB

Download
memory/4368-156-0x0000000006AA3000-0x0000000006AA4000-memory.dmp

Filesize
4KB

Download
memory/4368-155-0x000000007EB30000-0x000000007EB31000-memory.dmp

Filesize
4KB

Download
memory/4368-157-0x0000000009320000-0x00000000093B4000-memory.dmp

Filesize
592KB

Download
memory/4388-125-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4388-130-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

description	pid	process	target process
PID 344 wrote to memory of 4368	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	powershell.exe
PID 344 wrote to memory of 4368	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	powershell.exe
PID 344 wrote to memory of 4368	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	powershell.exe
PID 344 wrote to memory of 4396	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4396	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4396	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe
PID 344 wrote to memory of 4388	344	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe	0B668D0AC89D5DA1526BE831F7B8C3F2AF54C5DBC68C0.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads