raccoon | 42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67

General

Target

42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
Size

675KB
MD5

8ec29972dfd9a10e3da2c9ee240cc755
SHA1

5980b3c0314fc20f5ac6f3db31bbed41192c193a
SHA256

42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67
SHA512

7432c3fc1afcf3ea8562c744d0bb750badc52a25e3fd1e3cbeb4cbf4e4e2c4e23f16200ee45cb1d3e3ce2ca7524f0330dfe239bdc25d5faa9a2cd37f8f9a1120

Score

10^/10

raccoon 218710f63bc498a79834837a7fbeda5d33dd357c stealer

Malware Config

Extracted

Family

raccoon

Botnet

218710f63bc498a79834837a7fbeda5d33dd357c

Attributes

url4cnc
https://telete.in/h_sinnerman_1

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1132-135-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/1132-136-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/1132-137-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/1132-138-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe

description	pid	process	target process
PID 5092 set thread context of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe

description	pid	process	target process
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
PID 5092 wrote to memory of 1132	5092	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe	42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe

C:\Users\Admin\AppData\Local\Temp\42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
"C:\Users\Admin\AppData\Local\Temp\42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\42b5e1b39fbd5952799a83c063617e0c1010447bffce1bec27ef5e331848aa67.exe
"{path}"
2⤵
PID:1132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-134-0x0000000000000000-mapping.dmp

Download
memory/1132-135-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1132-136-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1132-137-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1132-138-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5092-130-0x0000000000850000-0x0000000000900000-memory.dmp

Filesize
704KB

Download
memory/5092-131-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/5092-132-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/5092-133-0x00000000061C0000-0x0000000006764000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads