raccoon | 6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3

Analysis

max time kernel
167s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-06-2022 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
Size

5.5MB
MD5

813b7d858ed4cc0527926a99aaa45937
SHA1

a0f439b3832bb5cf6ea509cda69d4c1f7a20b9f0
SHA256

6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3
SHA512

29e70ead8d4f42bb5913371e2eaaecd1df466f9b6d89d80c0ecba93beeea76bf97054fe7f6354e8ae905f91697ec5ce509e707ea7eed7e708eac56f6bd91817f

Score

10^/10

raccoon 2e76ef3db69c0aaf1af8319ea2bd6e91 evasion stealer suricata themida trojan

Malware Config

Extracted

Family

raccoon

Botnet

2e76ef3db69c0aaf1af8319ea2bd6e91

http://185.106.94.148/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6EC3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6EC3.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

Processes:

625F.exe6EC3.exe

pid	Process
1192	625F.exe
7900	6EC3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6EC3.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6EC3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6EC3.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x000400000001e3d8-138.dat	themida
behavioral1/files/0x000400000001e3d8-139.dat	themida
behavioral1/memory/7900-141-0x0000000000430000-0x0000000000E60000-memory.dmp	themida
behavioral1/memory/7900-142-0x0000000000430000-0x0000000000E60000-memory.dmp	themida
behavioral1/memory/7900-150-0x0000000000430000-0x0000000000E60000-memory.dmp	themida
behavioral1/memory/7900-152-0x0000000000430000-0x0000000000E60000-memory.dmp	themida
behavioral1/memory/7900-175-0x0000000000430000-0x0000000000E60000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6EC3.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6EC3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6EC3.exe

pid	Process
7900	6EC3.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe

pid	Process
1220	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
1220	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
1220	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
1220	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
1220	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
1220	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3128

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe

pid	Process
1220	6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

description	pid	procid_target
PID 3128 wrote to memory of 1192	3128	88
PID 3128 wrote to memory of 1192	3128	88
PID 3128 wrote to memory of 1192	3128	88
PID 3128 wrote to memory of 7900	3128	90
PID 3128 wrote to memory of 7900	3128	90
PID 3128 wrote to memory of 7900	3128	90
PID 3128 wrote to memory of 8680	3128	91
PID 3128 wrote to memory of 8680	3128	91
PID 3128 wrote to memory of 8680	3128	91
PID 3128 wrote to memory of 8680	3128	91
PID 3128 wrote to memory of 10716	3128	92
PID 3128 wrote to memory of 10716	3128	92
PID 3128 wrote to memory of 10716	3128	92
PID 3128 wrote to memory of 12396	3128	93
PID 3128 wrote to memory of 12396	3128	93
PID 3128 wrote to memory of 12396	3128	93
PID 3128 wrote to memory of 12396	3128	93
PID 3128 wrote to memory of 13904	3128	94
PID 3128 wrote to memory of 13904	3128	94
PID 3128 wrote to memory of 13904	3128	94
PID 3128 wrote to memory of 16692	3128	95
PID 3128 wrote to memory of 16692	3128	95
PID 3128 wrote to memory of 16692	3128	95
PID 3128 wrote to memory of 16692	3128	95
PID 3128 wrote to memory of 20188	3128	96
PID 3128 wrote to memory of 20188	3128	96
PID 3128 wrote to memory of 20188	3128	96
PID 3128 wrote to memory of 20188	3128	96
PID 3128 wrote to memory of 23732	3128	97
PID 3128 wrote to memory of 23732	3128	97
PID 3128 wrote to memory of 23732	3128	97
PID 3128 wrote to memory of 23732	3128	97
PID 3128 wrote to memory of 26856	3128	98
PID 3128 wrote to memory of 26856	3128	98
PID 3128 wrote to memory of 26856	3128	98
PID 3128 wrote to memory of 29760	3128	99
PID 3128 wrote to memory of 29760	3128	99
PID 3128 wrote to memory of 29760	3128	99
PID 3128 wrote to memory of 29760	3128	99

C:\Users\Admin\AppData\Local\Temp\6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe
"C:\Users\Admin\AppData\Local\Temp\6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1220

C:\Users\Admin\AppData\Local\Temp\625F.exe
C:\Users\Admin\AppData\Local\Temp\625F.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\6EC3.exe
C:\Users\Admin\AppData\Local\Temp\6EC3.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8680

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:12396

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:13904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:16692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:20188

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:23732

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:26856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:29760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\625F.exe

Filesize
2.3MB

MD5
471cd843cafd0c683fcf443938ea57fc

SHA1
7c0dd2817b7e9fcadea4f50fbf55027fe02b9dbf

SHA256
a58e1ca08662224133a588340c92977a0c8e449287fc66ee24c962cbfadcd2ed

SHA512
8eb74441904e8f260d95690684e1f82ace12c173a044a3ee12b1e4e0e0822b817ae11f7b19f991e4fdc97a3d592abea3de4e3aaff92bbaf1630a20161f88347f

Download Submit
C:\Users\Admin\AppData\Local\Temp\625F.exe

Filesize
2.3MB

MD5
471cd843cafd0c683fcf443938ea57fc

SHA1
7c0dd2817b7e9fcadea4f50fbf55027fe02b9dbf

SHA256
a58e1ca08662224133a588340c92977a0c8e449287fc66ee24c962cbfadcd2ed

SHA512
8eb74441904e8f260d95690684e1f82ace12c173a044a3ee12b1e4e0e0822b817ae11f7b19f991e4fdc97a3d592abea3de4e3aaff92bbaf1630a20161f88347f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EC3.exe

Filesize
5.0MB

MD5
0a980ff421f7ceb060bb8ed5a586406b

SHA1
90835ab18a94addc717094cde52cd704f4a3f14b

SHA256
b9fff1c6dc22a34696747d479c8e56d8d72949518b8eebd458eb9e0653d5f9e3

SHA512
c7ad285a29166f27ebab36afcd74e37d063545a54ea6f2c80725699fa5737d72e3e55d92817e1be532b79dc7b435dfa2aed05d4fbbec359035c552f693849d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EC3.exe

Filesize
5.0MB

MD5
0a980ff421f7ceb060bb8ed5a586406b

SHA1
90835ab18a94addc717094cde52cd704f4a3f14b

SHA256
b9fff1c6dc22a34696747d479c8e56d8d72949518b8eebd458eb9e0653d5f9e3

SHA512
c7ad285a29166f27ebab36afcd74e37d063545a54ea6f2c80725699fa5737d72e3e55d92817e1be532b79dc7b435dfa2aed05d4fbbec359035c552f693849d3f

Download Submit
memory/1192-134-0x0000000000000000-mapping.dmp

Download
memory/1220-131-0x0000000000400000-0x0000000000D1D000-memory.dmp

Filesize
9.1MB

Download
memory/1220-132-0x0000000000400000-0x0000000000D1D000-memory.dmp

Filesize
9.1MB

Download
memory/1220-133-0x0000000000400000-0x0000000000D1D000-memory.dmp

Filesize
9.1MB

Download
memory/1220-130-0x0000000000400000-0x0000000000D1D000-memory.dmp

Filesize
9.1MB

Download
memory/7900-154-0x0000000077280000-0x0000000077423000-memory.dmp

Filesize
1.6MB

Download
memory/7900-150-0x0000000000430000-0x0000000000E60000-memory.dmp

Filesize
10.2MB

Download
memory/7900-141-0x0000000000430000-0x0000000000E60000-memory.dmp

Filesize
10.2MB

Download
memory/7900-142-0x0000000000430000-0x0000000000E60000-memory.dmp

Filesize
10.2MB

Download
memory/7900-176-0x0000000077280000-0x0000000077423000-memory.dmp

Filesize
1.6MB

Download
memory/7900-137-0x0000000000000000-mapping.dmp

Download
memory/7900-175-0x0000000000430000-0x0000000000E60000-memory.dmp

Filesize
10.2MB

Download
memory/7900-152-0x0000000000430000-0x0000000000E60000-memory.dmp

Filesize
10.2MB

Download
memory/8680-148-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/8680-146-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/8680-140-0x0000000000000000-mapping.dmp

Download
memory/8680-177-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/10716-153-0x0000000001240000-0x0000000001249000-memory.dmp

Filesize
36KB

Download
memory/10716-149-0x0000000001230000-0x000000000123F000-memory.dmp

Filesize
60KB

Download
memory/10716-178-0x0000000001240000-0x0000000001249000-memory.dmp

Filesize
36KB

Download
memory/10716-144-0x0000000000000000-mapping.dmp

Download
memory/12396-151-0x0000000000000000-mapping.dmp

Download
memory/12396-155-0x0000000001080000-0x0000000001085000-memory.dmp

Filesize
20KB

Download
memory/12396-156-0x0000000001070000-0x0000000001079000-memory.dmp

Filesize
36KB

Download
memory/12396-179-0x0000000001080000-0x0000000001085000-memory.dmp

Filesize
20KB

Download
memory/13904-159-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/13904-180-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/13904-157-0x0000000000000000-mapping.dmp

Download
memory/13904-158-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/16692-162-0x0000000000940000-0x0000000000967000-memory.dmp

Filesize
156KB

Download
memory/16692-181-0x0000000000970000-0x0000000000992000-memory.dmp

Filesize
136KB

Download
memory/16692-160-0x0000000000000000-mapping.dmp

Download
memory/16692-161-0x0000000000970000-0x0000000000992000-memory.dmp

Filesize
136KB

Download
memory/20188-164-0x0000000000950000-0x0000000000955000-memory.dmp

Filesize
20KB

Download
memory/20188-165-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/20188-182-0x0000000000950000-0x0000000000955000-memory.dmp

Filesize
20KB

Download
memory/20188-163-0x0000000000000000-mapping.dmp

Download
memory/23732-168-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/23732-167-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/23732-166-0x0000000000000000-mapping.dmp

Download
memory/23732-183-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/26856-171-0x00000000008D0000-0x00000000008DD000-memory.dmp

Filesize
52KB

Download
memory/26856-170-0x00000000008E0000-0x00000000008E7000-memory.dmp

Filesize
28KB

Download
memory/26856-169-0x0000000000000000-mapping.dmp

Download
memory/26856-184-0x00000000008E0000-0x00000000008E7000-memory.dmp

Filesize
28KB

Download
memory/29760-174-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/29760-173-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/29760-172-0x0000000000000000-mapping.dmp

Download
memory/29760-185-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download