raccoon | 0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d

General

Target

0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
Size

516KB
MD5

a77b9e35defc578f734e2d95f96e2a31
SHA1

f33bcfb0ee9d064b2f5bc55f3a0de16391af3aaa
SHA256

0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d
SHA512

c456633dd2295f607e56570ce9ca7e424ba0273aa4c42589220eac2f77b603f74dc6184e638d2598bc0c384a140467c93222e9d8ee29b6b56369dced2a8d9e0a

Score

10^/10

raccoon 87602aad8b4abffeb6a1ca955b58feb09879eb88 stealer

Malware Config

Extracted

Family

raccoon

Botnet

87602aad8b4abffeb6a1ca955b58feb09879eb88

Attributes

url4cnc
https://telete.in/jhummybear11

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1152-62-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral1/memory/1152-64-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral1/memory/1152-66-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral1/memory/1152-67-0x000000000043FCC3-mapping.dmp	family_raccoon
behavioral1/memory/1152-70-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral1/memory/1152-71-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/964-55-0x0000000004830000-0x00000000048AC000-memory.dmp	beds_protector

Drops startup file 2 IoCs

Processes:

0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update_.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update_.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

description	pid	process	target process
PID 964 set thread context of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

pid	process
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

description pid process

Token: SeDebugPrivilege 964 0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

description	pid	process
Token: SeDebugPrivilege	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

description	pid	process	target process
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
PID 964 wrote to memory of 1152	964	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe	0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe

C:\Users\Admin\AppData\Local\Temp\0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
"C:\Users\Admin\AppData\Local\Temp\0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe
"C:\Users\Admin\AppData\Local\Temp\0879a1d94561690c9ce842aa49183083e72304edaf2e54650f00f262e719429d.exe"
2⤵
PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-54-0x0000000000D20000-0x0000000000DA6000-memory.dmp

Filesize
536KB

Download
memory/964-55-0x0000000004830000-0x00000000048AC000-memory.dmp

Filesize
496KB

Download
memory/964-56-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1152-57-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1152-58-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1152-60-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1152-62-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1152-64-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1152-66-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1152-67-0x000000000043FCC3-mapping.dmp

Download
memory/1152-70-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1152-71-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads