raccoon | f93521d653a724f562be130f117f3e7ee1b87eeab357f3c5695812a4a9ea73a5

Analysis

max time kernel
91s
max time network
98s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31/08/2022, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

1000KB
MD5

6ffb07e3414cd88275cd4c3b8bbe7b5e
SHA1

0b5f524c0478d84860d16c786358ebda166a5ee1
SHA256

f93521d653a724f562be130f117f3e7ee1b87eeab357f3c5695812a4a9ea73a5
SHA512

ec9f389f258b2553b52c68ea602c55aacd0d1ed052b17d63b7ca5324b2bccfab97e843d540baea9628f15dc9a798b58512218921373f535815093351f2388885
SSDEEP

12288:jylN+SwBxYRjRGLFA8gpO4Xspi5n/IxrcBWQzf7x:jDSw/RsWe1W4

Score

10^/10

raccoon ytstealer 4689c837190317f8309bc798897decf7 spyware stealer upx

Malware Config

Extracted

Family

raccoon

Botnet

4689c837190317f8309bc798897decf7

http://91.234.254.126/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1520-110-0x0000000000FB0000-0x0000000001D89000-memory.dmp	family_ytstealer
behavioral1/memory/684-112-0x0000000001350000-0x0000000002162000-memory.dmp	family_ytstealer

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
816	Q6vTCQJJ.exe
1240	GGuQnxQA.exe
1520	dj202402.exe
684	decqza3u.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012770-95.dat	upx
behavioral1/files/0x0007000000012770-96.dat	upx
behavioral1/files/0x0007000000012770-98.dat	upx
behavioral1/memory/1244-99-0x00000000041F0000-0x0000000004FC9000-memory.dmp	upx
behavioral1/memory/1520-100-0x0000000000FB0000-0x0000000001D89000-memory.dmp	upx
behavioral1/files/0x00070000000133f9-103.dat	upx
behavioral1/files/0x00070000000133f9-104.dat	upx
behavioral1/files/0x00070000000133f9-106.dat	upx
behavioral1/memory/684-107-0x0000000001350000-0x0000000002162000-memory.dmp	upx
behavioral1/memory/1520-110-0x0000000000FB0000-0x0000000001D89000-memory.dmp	upx
behavioral1/files/0x0007000000012770-111.dat	upx
behavioral1/memory/684-112-0x0000000001350000-0x0000000002162000-memory.dmp	upx

Loads dropped DLL 9 IoCs

pid	Process
1244	cvtres.exe
1244	cvtres.exe
1244	cvtres.exe
1244	cvtres.exe
1244	cvtres.exe
1244	cvtres.exe
1244	cvtres.exe
1244	cvtres.exe
1244	cvtres.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
816	Q6vTCQJJ.exe
816	Q6vTCQJJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1244	1972	Installer.exe	29

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1252	powershell.exe
816	Q6vTCQJJ.exe
1520	dj202402.exe
1520	dj202402.exe
1240	GGuQnxQA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1240	GGuQnxQA.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1252	1972	Installer.exe	27
PID 1972 wrote to memory of 1252	1972	Installer.exe	27
PID 1972 wrote to memory of 1252	1972	Installer.exe	27
PID 1972 wrote to memory of 1252	1972	Installer.exe	27
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1972 wrote to memory of 1244	1972	Installer.exe	29
PID 1244 wrote to memory of 816	1244	cvtres.exe	32
PID 1244 wrote to memory of 816	1244	cvtres.exe	32
PID 1244 wrote to memory of 816	1244	cvtres.exe	32
PID 1244 wrote to memory of 816	1244	cvtres.exe	32
PID 816 wrote to memory of 556	816	Q6vTCQJJ.exe	33
PID 816 wrote to memory of 556	816	Q6vTCQJJ.exe	33
PID 816 wrote to memory of 556	816	Q6vTCQJJ.exe	33
PID 816 wrote to memory of 556	816	Q6vTCQJJ.exe	33
PID 1244 wrote to memory of 1240	1244	cvtres.exe	35
PID 1244 wrote to memory of 1240	1244	cvtres.exe	35
PID 1244 wrote to memory of 1240	1244	cvtres.exe	35
PID 1244 wrote to memory of 1240	1244	cvtres.exe	35
PID 816 wrote to memory of 1036	816	Q6vTCQJJ.exe	36
PID 816 wrote to memory of 1036	816	Q6vTCQJJ.exe	36
PID 816 wrote to memory of 1036	816	Q6vTCQJJ.exe	36
PID 816 wrote to memory of 1036	816	Q6vTCQJJ.exe	36
PID 1244 wrote to memory of 1520	1244	cvtres.exe	38
PID 1244 wrote to memory of 1520	1244	cvtres.exe	38
PID 1244 wrote to memory of 1520	1244	cvtres.exe	38
PID 1244 wrote to memory of 1520	1244	cvtres.exe	38
PID 1244 wrote to memory of 684	1244	cvtres.exe	40
PID 1244 wrote to memory of 684	1244	cvtres.exe	40
PID 1244 wrote to memory of 684	1244	cvtres.exe	40
PID 1244 wrote to memory of 684	1244	cvtres.exe	40
PID 1520 wrote to memory of 280	1520	dj202402.exe	41
PID 1520 wrote to memory of 280	1520	dj202402.exe	41
PID 1520 wrote to memory of 280	1520	dj202402.exe	41
PID 280 wrote to memory of 520	280	cmd.exe	43
PID 280 wrote to memory of 520	280	cmd.exe	43
PID 280 wrote to memory of 520	280	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\Q6vTCQJJ.exe
    "C:\Users\Admin\AppData\Local\Temp\Q6vTCQJJ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 5 /tn "Local Security Authority Process{K8G5D4S3V5F5D4-O63D4F5S6V-F7G8V3A2D4}" /tr "C:\Users\Admin\AppData\Roaming\Windows\System32\lsass.exe"
      4⤵
      Creates scheduled task(s)
      PID:556
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /Query /XML /TN "Local Security Authority Process{K8G5D4S3V5F5D4-O63D4F5S6V-F7G8V3A2D4}"
      4⤵
      PID:1036
- - C:\Users\Admin\AppData\Local\Temp\GGuQnxQA.exe
    "C:\Users\Admin\AppData\Local\Temp\GGuQnxQA.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Users\Admin\AppData\Local\Temp\dj202402.exe
    "C:\Users\Admin\AppData\Local\Temp\dj202402.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\dj202402.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:280
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:520
- - C:\Users\Admin\AppData\Local\Temp\decqza3u.exe
    "C:\Users\Admin\AppData\Local\Temp\decqza3u.exe"
    3⤵
    - Executes dropped EXE
    PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GGuQnxQA.exe

Filesize
72KB

MD5
ed273349dcfdbc3ad38937b248e716d9

SHA1
ac6856ede07307fcebd2a2a6ba6dc88563f8eb73

SHA256
be25a5efd1b35505dc31bba98070dc404865b0a1411eb41a76b17e3deb845598

SHA512
5edede7fc1f954e9454bb64bbcaf7aa32310889d30613cd96efe1815c6a7ae3c9d2e94260a9305966ee61863ec9161e14a422cf2863bd0cf787bab98388eeaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGuQnxQA.exe

Filesize
72KB

MD5
ed273349dcfdbc3ad38937b248e716d9

SHA1
ac6856ede07307fcebd2a2a6ba6dc88563f8eb73

SHA256
be25a5efd1b35505dc31bba98070dc404865b0a1411eb41a76b17e3deb845598

SHA512
5edede7fc1f954e9454bb64bbcaf7aa32310889d30613cd96efe1815c6a7ae3c9d2e94260a9305966ee61863ec9161e14a422cf2863bd0cf787bab98388eeaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q6vTCQJJ.exe

Filesize
6.0MB

MD5
a38fe61434aec554fd09175050a87f0d

SHA1
c767034d05085ba0d701f0b5216ae139429eae39

SHA256
f9eeb56697ff517cb6f00fb13e5302596989147d225495b5f7b19256d4f54ec5

SHA512
a85719c1382616625a393661f92039505de63f6e21f42c1fc41d9a1179cba46b84e1b005afba27f818d8e869634d0ef6e11eb9f0ff87ec73d0627858ac0feb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q6vTCQJJ.exe

Filesize
6.0MB

MD5
a38fe61434aec554fd09175050a87f0d

SHA1
c767034d05085ba0d701f0b5216ae139429eae39

SHA256
f9eeb56697ff517cb6f00fb13e5302596989147d225495b5f7b19256d4f54ec5

SHA512
a85719c1382616625a393661f92039505de63f6e21f42c1fc41d9a1179cba46b84e1b005afba27f818d8e869634d0ef6e11eb9f0ff87ec73d0627858ac0feb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\decqza3u.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dj202402.exe

Filesize
4.0MB

MD5
16ff8074ba61c2a46cdb6c72c2c6057d

SHA1
5e7c56085209a3190a2a831fffefdeef192a6b25

SHA256
b22daf5bfcbdcd0032f07a012e34ee6eb102203963b2f488dd1cf9d14b60550f

SHA512
674c22cee088d96d42d43aa7cbd7988c01318a211185be6767e43c50dbdf5e7f0dd9e65be123127744015e17c34415feef727a08f237e350ccd04068ce28ddce

Download Submit
C:\Users\Admin\AppData\Local\Temp\dj202402.exe

Filesize
4.0MB

MD5
16ff8074ba61c2a46cdb6c72c2c6057d

SHA1
5e7c56085209a3190a2a831fffefdeef192a6b25

SHA256
b22daf5bfcbdcd0032f07a012e34ee6eb102203963b2f488dd1cf9d14b60550f

SHA512
674c22cee088d96d42d43aa7cbd7988c01318a211185be6767e43c50dbdf5e7f0dd9e65be123127744015e17c34415feef727a08f237e350ccd04068ce28ddce

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Temp\GGuQnxQA.exe

Filesize
72KB

MD5
ed273349dcfdbc3ad38937b248e716d9

SHA1
ac6856ede07307fcebd2a2a6ba6dc88563f8eb73

SHA256
be25a5efd1b35505dc31bba98070dc404865b0a1411eb41a76b17e3deb845598

SHA512
5edede7fc1f954e9454bb64bbcaf7aa32310889d30613cd96efe1815c6a7ae3c9d2e94260a9305966ee61863ec9161e14a422cf2863bd0cf787bab98388eeaae

Download Submit
\Users\Admin\AppData\Local\Temp\Q6vTCQJJ.exe

Filesize
6.0MB

MD5
a38fe61434aec554fd09175050a87f0d

SHA1
c767034d05085ba0d701f0b5216ae139429eae39

SHA256
f9eeb56697ff517cb6f00fb13e5302596989147d225495b5f7b19256d4f54ec5

SHA512
a85719c1382616625a393661f92039505de63f6e21f42c1fc41d9a1179cba46b84e1b005afba27f818d8e869634d0ef6e11eb9f0ff87ec73d0627858ac0feb51

Download Submit
\Users\Admin\AppData\Local\Temp\decqza3u.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
\Users\Admin\AppData\Local\Temp\decqza3u.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
\Users\Admin\AppData\Local\Temp\dj202402.exe

Filesize
4.0MB

MD5
16ff8074ba61c2a46cdb6c72c2c6057d

SHA1
5e7c56085209a3190a2a831fffefdeef192a6b25

SHA256
b22daf5bfcbdcd0032f07a012e34ee6eb102203963b2f488dd1cf9d14b60550f

SHA512
674c22cee088d96d42d43aa7cbd7988c01318a211185be6767e43c50dbdf5e7f0dd9e65be123127744015e17c34415feef727a08f237e350ccd04068ce28ddce

Download Submit
\Users\Admin\AppData\Local\Temp\dj202402.exe

Filesize
4.0MB

MD5
16ff8074ba61c2a46cdb6c72c2c6057d

SHA1
5e7c56085209a3190a2a831fffefdeef192a6b25

SHA256
b22daf5bfcbdcd0032f07a012e34ee6eb102203963b2f488dd1cf9d14b60550f

SHA512
674c22cee088d96d42d43aa7cbd7988c01318a211185be6767e43c50dbdf5e7f0dd9e65be123127744015e17c34415feef727a08f237e350ccd04068ce28ddce

Download Submit
memory/684-107-0x0000000001350000-0x0000000002162000-memory.dmp

Filesize
14.1MB

Download
memory/684-112-0x0000000001350000-0x0000000002162000-memory.dmp

Filesize
14.1MB

Download
memory/816-84-0x0000000000400000-0x0000000000D6E000-memory.dmp

Filesize
9.4MB

Download
memory/816-86-0x0000000000400000-0x0000000000D6E000-memory.dmp

Filesize
9.4MB

Download
memory/816-93-0x0000000000400000-0x0000000000D6E000-memory.dmp

Filesize
9.4MB

Download
memory/1240-94-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/1240-92-0x0000000000F20000-0x0000000000F38000-memory.dmp

Filesize
96KB

Download
memory/1244-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-99-0x00000000041F0000-0x0000000004FC9000-memory.dmp

Filesize
13.8MB

Download
memory/1244-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-101-0x00000000041F0000-0x0000000004FC9000-memory.dmp

Filesize
13.8MB

Download
memory/1244-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1252-60-0x0000000070B10000-0x00000000710BB000-memory.dmp

Filesize
5.7MB

Download
memory/1252-59-0x0000000070B10000-0x00000000710BB000-memory.dmp

Filesize
5.7MB

Download
memory/1252-58-0x0000000070B10000-0x00000000710BB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-100-0x0000000000FB0000-0x0000000001D89000-memory.dmp

Filesize
13.8MB

Download
memory/1520-110-0x0000000000FB0000-0x0000000001D89000-memory.dmp

Filesize
13.8MB

Download
memory/1972-54-0x0000000000990000-0x0000000000A6C000-memory.dmp

Filesize
880KB

Download
memory/1972-55-0x0000000076761000-0x0000000076763000-memory.dmp

Filesize
8KB

Download