raccoon | d61baf5e3eb992ddab38f768d833a21b6f6d43bb2eb167d6858e79a10a6fb4dd

General

Target

Setup/Setup.exe
Size

700.0MB
MD5

9438ae7dc36c6bdb54ab76d511d6f674
SHA1

e518a130b77432e5c266e33bf13eeb68237883a3
SHA256

aa546d18a4474e37352ceead9d799312f932f07b1cba26adf8e626d8ad0c152c
SHA512

9268d5b182713a8ebca656135c1407c3e64465d808111e3f975905da34a0745e2e6daafc432da3e9345feb3110854f6a898533c1995dc72d58b1b7b56b97d4f2
SSDEEP

1536:3Id1qx6P4H4+Y1fUukhVuM94fHqHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHz:H4+Y18fHOMMMMZMMMMMMMMMMMMJg

Score

10^/10

raccoon 7be6431f3fa3eaa6e36b23bbc5559b9a agilenet discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

7be6431f3fa3eaa6e36b23bbc5559b9a

C2

http://77.73.133.69/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

MH7Xo2C1.exe

pid process

4480 MH7Xo2C1.exe

pid	process
4480	MH7Xo2C1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Setup.exe

Loads dropped DLL 3 IoCs

Processes:

Setup.exe

pid process

64 Setup.exe
64 Setup.exe
64 Setup.exe

pid	process
64	Setup.exe
64	Setup.exe
64	Setup.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4328-132-0x0000000000E90000-0x0000000000EC8000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

Setup.exeMH7Xo2C1.exe

description	pid	process	target process
PID 4328 set thread context of 64	4328	Setup.exe	Setup.exe
PID 4480 set thread context of 102228	4480	MH7Xo2C1.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4232 schtasks.exe
4328 schtasks.exe

pid	process
4232	schtasks.exe
4328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exeSetup.exeAppLaunch.exepowershell.exe

pid	process
3924	powershell.exe
3924	powershell.exe
4328	Setup.exe
4328	Setup.exe
102228	AppLaunch.exe
102396	powershell.exe
102396	powershell.exe
102228	AppLaunch.exe
102228	AppLaunch.exe
102228	AppLaunch.exe
102228	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Setup.exepowershell.exeAppLaunch.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4328	Setup.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	102228	AppLaunch.exe
Token: SeDebugPrivilege	102396	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Setup.exeSetup.exeMH7Xo2C1.exeAppLaunch.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4328 wrote to memory of 3924	4328	Setup.exe	powershell.exe
PID 4328 wrote to memory of 3924	4328	Setup.exe	powershell.exe
PID 4328 wrote to memory of 3924	4328	Setup.exe	powershell.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 4328 wrote to memory of 64	4328	Setup.exe	Setup.exe
PID 64 wrote to memory of 4480	64	Setup.exe	MH7Xo2C1.exe
PID 64 wrote to memory of 4480	64	Setup.exe	MH7Xo2C1.exe
PID 64 wrote to memory of 4480	64	Setup.exe	MH7Xo2C1.exe
PID 4480 wrote to memory of 102228	4480	MH7Xo2C1.exe	AppLaunch.exe
PID 4480 wrote to memory of 102228	4480	MH7Xo2C1.exe	AppLaunch.exe
PID 4480 wrote to memory of 102228	4480	MH7Xo2C1.exe	AppLaunch.exe
PID 4480 wrote to memory of 102228	4480	MH7Xo2C1.exe	AppLaunch.exe
PID 4480 wrote to memory of 102228	4480	MH7Xo2C1.exe	AppLaunch.exe
PID 102228 wrote to memory of 102340	102228	AppLaunch.exe	cmd.exe
PID 102228 wrote to memory of 102340	102228	AppLaunch.exe	cmd.exe
PID 102228 wrote to memory of 102340	102228	AppLaunch.exe	cmd.exe
PID 102340 wrote to memory of 102396	102340	cmd.exe	powershell.exe
PID 102340 wrote to memory of 102396	102340	cmd.exe	powershell.exe
PID 102340 wrote to memory of 102396	102340	cmd.exe	powershell.exe
PID 102228 wrote to memory of 3952	102228	AppLaunch.exe	cmd.exe
PID 102228 wrote to memory of 3952	102228	AppLaunch.exe	cmd.exe
PID 102228 wrote to memory of 3952	102228	AppLaunch.exe	cmd.exe
PID 102228 wrote to memory of 4736	102228	AppLaunch.exe	cmd.exe
PID 102228 wrote to memory of 4736	102228	AppLaunch.exe	cmd.exe
PID 102228 wrote to memory of 4736	102228	AppLaunch.exe	cmd.exe
PID 3952 wrote to memory of 4232	3952	cmd.exe	schtasks.exe
PID 3952 wrote to memory of 4232	3952	cmd.exe	schtasks.exe
PID 3952 wrote to memory of 4232	3952	cmd.exe	schtasks.exe
PID 4736 wrote to memory of 4328	4736	cmd.exe	schtasks.exe
PID 4736 wrote to memory of 4328	4736	cmd.exe	schtasks.exe
PID 4736 wrote to memory of 4328	4736	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe
2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Roaming\MH7Xo2C1.exe
"C:\Users\Admin\AppData\Roaming\MH7Xo2C1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:102228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAGwAQwA1AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAEIASwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBNAGQAdAA3AGoAVgA3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEsAbgBZAGIANQBSAGMANwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
5⤵
- Suspicious use of WriteProcessMemory
PID:102340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGwAQwA1AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAEIASwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBNAGQAdAA3AGoAVgA3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEsAbgBZAGIANQBSAGMANwAjAD4A"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:102396

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4232

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3529" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3529" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
4d5468946ba4b082a3c4358d4d3e6920

SHA1
0c98a704c578529d8a889a80513188755c3ba635

SHA256
60cb33d9fb3f107cca352277b67a1f98abae330e1b43f3336f27f6ddab2024ee

SHA512
d069cf4aeebcbe3471cc69d6fa88d6b3bc4ec2bc2b819c23a9d85f8ef274c1db653878c441fc35c5d60508b77d4ccc25179b7988d824d92671133e434b04694e

Download Submit
C:\Users\Admin\AppData\Roaming\MH7Xo2C1.exe
Filesize
2.5MB

MD5
3bea67576f607d6d72aa769111f312f6

SHA1
43ae1d57af2f940377bee0c9ba87f3751c5bc39c

SHA256
0773dc94edc6ee45e78c1780c7efe21abb643e8f662072ec01f1553a9c31bc72

SHA512
fe33a6f13fc02944ce5b3f5274af4c2b8fd39c070e3063f0bc4e70cdee11aedea9f4de3c9744ef42714d68a8e77c1abf658e0a4e0f33053d415b2bcded31a3dd

Download Submit
C:\Users\Admin\AppData\Roaming\MH7Xo2C1.exe
Filesize
2.5MB

MD5
3bea67576f607d6d72aa769111f312f6

SHA1
43ae1d57af2f940377bee0c9ba87f3751c5bc39c

SHA256
0773dc94edc6ee45e78c1780c7efe21abb643e8f662072ec01f1553a9c31bc72

SHA512
fe33a6f13fc02944ce5b3f5274af4c2b8fd39c070e3063f0bc4e70cdee11aedea9f4de3c9744ef42714d68a8e77c1abf658e0a4e0f33053d415b2bcded31a3dd

Download Submit
memory/64-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/64-142-0x0000000000000000-mapping.dmp

Download
memory/64-143-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/64-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/64-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3924-141-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

Filesize
104KB

Download
memory/3924-139-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/3924-138-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/3924-137-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/3924-135-0x0000000005230000-0x0000000005266000-memory.dmp

Filesize
216KB

Download
memory/3924-134-0x0000000000000000-mapping.dmp

Download
memory/3924-136-0x00000000059A0000-0x0000000005FC8000-memory.dmp

Filesize
6.2MB

Download
memory/3924-140-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/3952-173-0x0000000000000000-mapping.dmp

Download
memory/4232-175-0x0000000000000000-mapping.dmp

Download
memory/4328-176-0x0000000000000000-mapping.dmp

Download
memory/4328-132-0x0000000000E90000-0x0000000000EC8000-memory.dmp

Filesize
224KB

Download
memory/4328-133-0x0000000009530000-0x0000000009552000-memory.dmp

Filesize
136KB

Download
memory/4480-151-0x0000000000000000-mapping.dmp

Download
memory/4736-174-0x0000000000000000-mapping.dmp

Download
memory/102228-161-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/102228-162-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/102228-154-0x0000000000000000-mapping.dmp

Download
memory/102228-155-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/102228-160-0x0000000005290000-0x0000000005834000-memory.dmp

Filesize
5.6MB

Download
memory/102340-163-0x0000000000000000-mapping.dmp

Download
memory/102396-169-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

Filesize
304KB

Download
memory/102396-172-0x0000000007740000-0x00000000077D6000-memory.dmp

Filesize
600KB

Download
memory/102396-171-0x0000000007550000-0x000000000755A000-memory.dmp

Filesize
40KB

Download
memory/102396-170-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/102396-164-0x0000000000000000-mapping.dmp

Download
memory/102396-168-0x0000000006770000-0x00000000067A2000-memory.dmp

Filesize
200KB

Download
memory/102396-177-0x0000000006020000-0x000000000602E000-memory.dmp

Filesize
56KB

Download
memory/102396-178-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/102396-179-0x00000000076E0000-0x00000000076E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads