raccoon | cd22af088500bf7c0602a7c4951eacda5c63d8f5e65c0350eb90589e153688c6 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

cd22af088500bf7c0602a7c4951eacda5c63d8f5e65c0350eb90589e153688c6
Size

386KB
Sample

220907-yr12bsabeq
MD5

e1626e2d28a6709a79aefc82caf3953f
SHA1

9129f39b543ac4c9b500c19da3f2fb462a35a899
SHA256

cd22af088500bf7c0602a7c4951eacda5c63d8f5e65c0350eb90589e153688c6
SHA512

7b535037c345a034ccac721b82ad4a1ae04785d947731a0493b8d104276b4ee1ca9072a825e35a87849f2bf5ae6cc6fc9536dcac80a7b52571f2198738b66e84
SSDEEP

12288:rO1UAJgO0d5vgEiNxWprEcCoulkXP9Mbv:i1NEiPsrEDUP9Mb

Score

10^/10

raccoon 654b3e7f2d409dcde795b5d2dacf4955 discovery evasion exploit spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

cd22af088500bf7c0602a7c4951eacda5c63d8f5e65c0350eb90589e153688c6.exe

Resource

win10v2004-20220812-en

raccoon 654b3e7f2d409dcde795b5d2dacf4955 discovery evasion exploit spyware stealer

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

raccoon

Botnet

654b3e7f2d409dcde795b5d2dacf4955

C2

http://46.249.58.152/

rc4.plain

Targets

- Target
  
  cd22af088500bf7c0602a7c4951eacda5c63d8f5e65c0350eb90589e153688c6
- Size
  
  386KB
- MD5
  
  e1626e2d28a6709a79aefc82caf3953f
- SHA1
  
  9129f39b543ac4c9b500c19da3f2fb462a35a899
- SHA256
  
  cd22af088500bf7c0602a7c4951eacda5c63d8f5e65c0350eb90589e153688c6
- SHA512
  
  7b535037c345a034ccac721b82ad4a1ae04785d947731a0493b8d104276b4ee1ca9072a825e35a87849f2bf5ae6cc6fc9536dcac80a7b52571f2198738b66e84
- SSDEEP
  
  12288:rO1UAJgO0d5vgEiNxWprEcCoulkXP9Mbv:i1NEiPsrEDUP9Mb
Score

10^/10

raccoon 654b3e7f2d409dcde795b5d2dacf4955 discovery evasion exploit spyware stealer
- Modifies security service
  evasion
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Impair Defenses

File Permissions Modification

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

raccoon654b3e7f2d409dcde795b5d2dacf4955discoveryevasionexploitspywarestealer

© 2018-2024

Terms | Privacy