raccoon | 5b037a43064259317c81f5f4192fc8b54cd218d3d9772201ec52b0680453ceb4

General

Target

35ffc986d369b7ebda2e69d37cfac6b8.exe
Size

2.6MB
MD5

35ffc986d369b7ebda2e69d37cfac6b8
SHA1

fe80513205e9176a156f2e00ea9762baa6131a0f
SHA256

5b037a43064259317c81f5f4192fc8b54cd218d3d9772201ec52b0680453ceb4
SHA512

fed41f9b20cf370f93507663bf583f762d61fda3df1908aed4238992fe1f15822f8a783c802e9789f8b10aaa4d128831365c6866d1abea46044093a927622640

Score

10^/10

raccoon 95a5f22777e49d40d70bf77aadccdc5c evasion stealer themida trojan

Malware Config

Extracted

Family

raccoon

Botnet

95a5f22777e49d40d70bf77aadccdc5c

C2

http://193.43.147.6/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1488-141-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral2/memory/1488-143-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral2/memory/1488-144-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral2/memory/1488-147-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

35ffc986d369b7ebda2e69d37cfac6b8.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 35ffc986d369b7ebda2e69d37cfac6b8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	35ffc986d369b7ebda2e69d37cfac6b8.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35ffc986d369b7ebda2e69d37cfac6b8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	35ffc986d369b7ebda2e69d37cfac6b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	35ffc986d369b7ebda2e69d37cfac6b8.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/624-130-0x0000000000400000-0x0000000000885000-memory.dmp	themida
behavioral2/memory/624-133-0x0000000000400000-0x0000000000885000-memory.dmp	themida
behavioral2/memory/624-145-0x0000000000400000-0x0000000000885000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

35ffc986d369b7ebda2e69d37cfac6b8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	35ffc986d369b7ebda2e69d37cfac6b8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

35ffc986d369b7ebda2e69d37cfac6b8.exe

description pid process target process

PID 624 set thread context of 1488 624 35ffc986d369b7ebda2e69d37cfac6b8.exe InstallUtil.exe

description	pid	process	target process
PID 624 set thread context of 1488	624	35ffc986d369b7ebda2e69d37cfac6b8.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

35ffc986d369b7ebda2e69d37cfac6b8.exe

pid	process
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe
624	35ffc986d369b7ebda2e69d37cfac6b8.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

35ffc986d369b7ebda2e69d37cfac6b8.exe

description	pid	process	target process
PID 624 wrote to memory of 1488	624	35ffc986d369b7ebda2e69d37cfac6b8.exe	InstallUtil.exe
PID 624 wrote to memory of 1488	624	35ffc986d369b7ebda2e69d37cfac6b8.exe	InstallUtil.exe
PID 624 wrote to memory of 1488	624	35ffc986d369b7ebda2e69d37cfac6b8.exe	InstallUtil.exe
PID 624 wrote to memory of 1488	624	35ffc986d369b7ebda2e69d37cfac6b8.exe	InstallUtil.exe
PID 624 wrote to memory of 1488	624	35ffc986d369b7ebda2e69d37cfac6b8.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\35ffc986d369b7ebda2e69d37cfac6b8.exe
"C:\Users\Admin\AppData\Local\Temp\35ffc986d369b7ebda2e69d37cfac6b8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-145-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/624-131-0x00000000027C8000-0x0000000002BB3000-memory.dmp

Filesize
3.9MB

Download
memory/624-132-0x0000000002625000-0x000000000276E000-memory.dmp

Filesize
1.3MB

Download
memory/624-133-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/624-134-0x00000000027C8000-0x0000000002BB3000-memory.dmp

Filesize
3.9MB

Download
memory/624-135-0x0000000002625000-0x000000000276E000-memory.dmp

Filesize
1.3MB

Download
memory/624-136-0x000000000E730000-0x000000000E7EB000-memory.dmp

Filesize
748KB

Download
memory/624-137-0x000000000E730000-0x000000000E7EB000-memory.dmp

Filesize
748KB

Download
memory/624-130-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/624-146-0x0000000002625000-0x000000000276E000-memory.dmp

Filesize
1.3MB

Download
memory/1488-138-0x0000000000000000-mapping.dmp

Download
memory/1488-143-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1488-144-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1488-141-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1488-139-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1488-147-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads