raccoon | 42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67

General

Target

42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
Size

675KB
MD5

8ec29972dfd9a10e3da2c9ee240cc755
SHA1

5980b3c0314fc20f5ac6f3db31bbed41192c193a
SHA256

42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67
SHA512

7432c3fc1afcf3ea8562c744d0bb750badc52a25e3fd1e3cbeb4cbf4e4e2c4e23f16200ee45cb1d3e3ce2ca7524f0330dfe239bdc25d5faa9a2cd37f8f9a1120

Score

10^/10

raccoon 218710f63bc498a79834837a7fbeda5d33dd357c stealer

Malware Config

Extracted

Family

raccoon

Botnet

218710f63bc498a79834837a7fbeda5d33dd357c

Attributes

url4cnc
https://telete.in/h_sinnerman_1

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1892-62-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral1/memory/1892-64-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral1/memory/1892-66-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral1/memory/1892-67-0x000000000043FA98-mapping.dmp	family_raccoon
behavioral1/memory/1892-70-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral1/memory/1892-71-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe

description	pid	process	target process
PID 884 set thread context of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe

description	pid	process	target process
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 884 wrote to memory of 1892	884	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe

C:\Users\Admin\AppData\Local\Temp\42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
"C:\Users\Admin\AppData\Local\Temp\42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
"{path}"
2⤵
PID:1892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-54-0x0000000000A30000-0x0000000000AE0000-memory.dmp

Filesize
704KB

Download
memory/884-55-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/884-56-0x0000000005300000-0x000000000539E000-memory.dmp

Filesize
632KB

Download
memory/1892-57-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1892-58-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1892-60-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1892-62-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1892-64-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1892-66-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1892-67-0x000000000043FA98-mapping.dmp

Download
memory/1892-69-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/1892-70-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1892-71-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads