raccoon | 599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e

Analysis

max time kernel
54s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-10-2022 06:36

Target

07d6b4373f270ffefd756cf6ae19a486.exe
Size

776KB
MD5

07d6b4373f270ffefd756cf6ae19a486
SHA1

bf202d7bf1b73cb6a022b67557a5b83168059b8d
SHA256

599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
SHA512

39ba2f248de3bd2bba8d8d5601c8afd10427ec3b98ed8ff976e09cf966ab9a0c103e9adb07be4ec7cf97ac981810a67b2960b154fdfda2eeac9a4e72d3038075
SSDEEP

6144:yBZFk0sdr9W7bSwMJlj9Ntm6Q2mCC//////////////////////////////////g:yBQ0sF9WPMJhfkjOy8n9a8n99

Score

10^/10

Family

raccoon

Botnet

0ec468673cadb705e7aab6a7b0bb3906

http://193.106.191.150/

rc4.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Suspicious use of SetThreadContext 1 IoCs

Processes:

07d6b4373f270ffefd756cf6ae19a486.exe

description pid process target process

PID 1764 set thread context of 2004 1764 07d6b4373f270ffefd756cf6ae19a486.exe 07d6b4373f270ffefd756cf6ae19a486.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

07d6b4373f270ffefd756cf6ae19a486.exe

pid process

1764 07d6b4373f270ffefd756cf6ae19a486.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

07d6b4373f270ffefd756cf6ae19a486.exe

pid process

1764 07d6b4373f270ffefd756cf6ae19a486.exe

description	pid	process	target process
PID 1764 set thread context of 2004	1764	07d6b4373f270ffefd756cf6ae19a486.exe	07d6b4373f270ffefd756cf6ae19a486.exe

pid	process
1764	07d6b4373f270ffefd756cf6ae19a486.exe

pid	process
1764	07d6b4373f270ffefd756cf6ae19a486.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

07d6b4373f270ffefd756cf6ae19a486.exe

description	pid	process	target process
PID 1764 wrote to memory of 2004	1764	07d6b4373f270ffefd756cf6ae19a486.exe	07d6b4373f270ffefd756cf6ae19a486.exe
PID 1764 wrote to memory of 2004	1764	07d6b4373f270ffefd756cf6ae19a486.exe	07d6b4373f270ffefd756cf6ae19a486.exe
PID 1764 wrote to memory of 2004	1764	07d6b4373f270ffefd756cf6ae19a486.exe	07d6b4373f270ffefd756cf6ae19a486.exe
PID 1764 wrote to memory of 2004	1764	07d6b4373f270ffefd756cf6ae19a486.exe	07d6b4373f270ffefd756cf6ae19a486.exe
PID 1764 wrote to memory of 2004	1764	07d6b4373f270ffefd756cf6ae19a486.exe	07d6b4373f270ffefd756cf6ae19a486.exe

C:\Users\Admin\AppData\Local\Temp\07d6b4373f270ffefd756cf6ae19a486.exe
"C:\Users\Admin\AppData\Local\Temp\07d6b4373f270ffefd756cf6ae19a486.exe"
2⤵
PID:2004

memory/1764-56-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1764-58-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/2004-57-0x0000000000408597-mapping.dmp

Download
memory/2004-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download