raccoon | 35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239

General

Target

35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
Size

695KB
MD5

30e40f5a390ced36efa052f1bff8aa74
SHA1

96d747cc17f26f98c1034a7ba6f4035c95e9dc79
SHA256

35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239
SHA512

70005b28e841e153d6dc0aa5cef946a444a13f5d042b93a1ec9691828a00353cf0a68982d2018308abaa925620ad957957b170adcba038251c458cb40c8d9964

Score

10^/10

raccoon 8dec62c1db2959619dca43e02fa46ad7bd606400 stealer

Malware Config

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe

description	pid	process	target process
PID 1608 set thread context of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe

description	pid	process	target process
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
PID 1608 wrote to memory of 1384	1608	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe	35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe

C:\Users\Admin\AppData\Local\Temp\35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
"C:\Users\Admin\AppData\Local\Temp\35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe
"C:\Users\Admin\AppData\Local\Temp\35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239.exe"
2⤵
PID:1384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-61-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1384-66-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1384-65-0x00000000004F0000-0x000000000057E000-memory.dmp

Filesize
568KB

Download
memory/1384-64-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1384-58-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1384-63-0x00000000004A0000-0x00000000004EE000-memory.dmp

Filesize
312KB

Download
memory/1384-62-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1608-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1608-60-0x0000000002C20000-0x0000000002C90000-memory.dmp

Filesize
448KB

Download
memory/1608-59-0x0000000002BB0000-0x0000000002C13000-memory.dmp

Filesize
396KB

Download
memory/1608-54-0x0000000002CBB000-0x0000000002D32000-memory.dmp

Filesize
476KB

Download
memory/1608-56-0x0000000000320000-0x00000000003A3000-memory.dmp

Filesize
524KB

Download
memory/1608-55-0x0000000002CBB000-0x0000000002D32000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing